Managing Command, Control, And Communication (C3) Risks During Disaster Recovery Operations

Shane Molinari, MSc, CISSP, PMP, ITSM, SSMBB Principal, BCM Professionals

H Q : 3 7 8 5 C h a n t i c l e e r C o u r t , Ta l l a h a s s e e , F l o r i d a Te l e p h o n e : 8 8 8 - 5 8 7 - 4 7 6 9 U R L : B C M P r o s . c o m

Introduction
2011 statistics demonstrate that private and public sector organizations realized significant security and disaster recovery Command, Control, and Communications (C 3) impacts resulting from a lack of actionable governance and processes. Diminished communications between operations staff and stakeholders has led to significant rework, recovery cost overruns, failed businesses, and stress related illness, injuries, and death.

Natural Disasters
90% of the deaths were due to storms with the majority dying from exposure. This carried a price tag of $46.8B USD (NOAA)

Data Breeches
The cost of data breeches was $57B USD, exceeding drug trafficking for the first time (Experian and the Dept. of Justice)

Workplace Violence
Key homocide victims were in the 20-24 years age group with 71% being killed by strangers (Dept. of Justice)

This paper will provide a straightforward solution that will reduce the aforementioned cost of disasters, based on scholarly research, using the fundamental principles of industry standards and best practices. First, the relationships between the disaster recovery operational members regarding the essence of C 3 will be highlighted. This is essential in governance to ensure: The disaster recovery project meets the organizational objectives and goals of efficiency and effective operations Sustainable communications and information security management, regarding lines of communications internal and external to the response team, which is needed to prevent rumor mills and suppress unauthorized communiques going out to the general public Managing operational stressors affecting team members during recovery efforts The process will begin with defining continuity, disaster, and disaster recovery. The terminology needs to be clear while moving through the process. Next will be listed the C3 steps that need to be taken, how to achieve the solution, and more importantly,

B C M P r o f e s s i o n a l s!

Managing C3 Risks During Disaster Recovery Operations

what core competencies will be needed to establish and maintain the respective command, control, and communications during routine and emergency operations. The goal of this paper is to ensure organizational leadership has information that will aid them in recovering more effectively and efficiently. The objective is to provide the reader with a knowledge share and a quality source of intelligence.

Dening Continuity, Disaster, and Disaster Recovery

Why is defining these terms so important? The flow needs to be categorized into three central strategies: business continuity, disaster preparedness and disaster recovery. Before any organization can recover in an emergency, the team members have to know what tasks (logistical, operational, technical, etc.) to perform, what tools are needed to perform them, and how to perform them consistently. There is a common misconception that business continuity is, in the purest sense, the approach to prepare for disasters. Business Continuity details how business is conducted on a day-to-day basis. Moving forward as in the past, incidents from natural, man-made, and technology emergencies will occur. It is understood that these emergencies will have an impact on members of public and private sector organizations and their families. It is not a matter of if but when. By definition then, a disaster is a sudden event that results in damage and opportunity costs (e.g., property, money, life).

Disaster recovery can now be defined as restoring resources (i.e., personnel, equipment, supplies, and facilities) to their operational location and status. It should be noted here for the sake of clarity that the only true exception to recovery is the death of a person.

B C M P r o f e s s i o n a l s!

Managing C3 Risks During Disaster Recovery Operations

Solution Discussion
Time is a precious resource, especially in disaster recovery. Establishing an business continuity governance frameworkas a formal deliverable with financial, logistical, and administrative policies, procedures, and processesshould be straightforward and deliberate. Leveraging integrated guidelines and standards (e.g., NIMS, COBIT, PMI, ASIS, ISO) is a proven means to achieving Business Continuity Management (BCM) goals the right way the first time.

Systems Approach to C3: Governance

Effective governance involves making sound decisions. It is the framework of authority that encourages desired behaviors in the overall disaster recovery teams and its respective
Technology People

stakeholders. Governance consists of the leadership and organizational structures and processes that ensures sustainability and extends the enterprises' recovery strategies and objectives. Aligning recovery-services reduces lost monies from inefficient operations and increases recovery teams motivation and commitment to the organization, which are

Infrastructure

critical long-term success factors. It is crucial to visualize governance with integrated resources (i.e., people, technology, infrastructure). Research has already demonstrated that leveraging this systematic approach leads to a robust performance and higher trust factors, manifested by strong horizontal ties across the crisis management divisions (e.g., operations, logistics, IT/IS Support) and vertical ties between the response team members and stakeholders (e.g., stockholders and clients). Consequently, these conditions foster strong levels of collective actions where there is a high degree of sustainable continuity program designs, localized needs, and capacities for assisting one another during high-stress recovery operations.

B C M P r o f e s s i o n a l s!

Managing C3 Risks During Disaster Recovery Operations

C3 Solution: What To Do
It is all too common that during a disaster aftermath, there is consensus among stakeholders to build long-term risk management considerations into the reconstruction of devastated areas. Equally common, as the memory of the disaster fades, commitment tends to wane and consensus for long-range risk management planning disintegrates. To avoid this situation, ensure the elements of risk management are aligned and integrated with the respective strategic mission and objectives. This includes establishing BCM and Business Impact Analysis (BIA) that conforms to standards and the evolutionary needs of the stakeholders involved in disaster recovery operations. This is important to efficiently address and improve the responders ability to effectively manage business operations during and after disruptive incidents. To accurately reflect the risk profile, data should be gathered by a competently trained team to ensure the financial, technical, and physical sample data collected are representative of the respective (i.e., no quick and easy cookie cutter plans) organizational resources. The data should also be inventoried and categorized by kind and type, including their size, capacity, capability, skills, and other characteristics (e.g., readiness and credentials). These records need to be continually maintained through periodic training and exercises, using experienced personnel, standards, and best practices to ensure resource accountability, responder safety, and an overall effective use of incident resources. Finally, the use of formal methodologies and key performance measurements ensure the reduction of vulnerability and enhancement of resilience to disasters. Examples include: risk management cost-effectiveness methodologies and analyses, investigation of
C3
Risk Management Strategic Alignment Resource Management Value Delivery

Governance

Performance Management

COOKIE CUTTER

B C M P r o f e s s i o n a l s!

Managing C3 Risks During Disaster Recovery Operations

intrasocietal impacts of catastrophic events, research on decision making and risk perceptions, and research on implementation of risk management and mitigation programs.

C3 Solution: How To Do It
Scholarly research statistics have
STANDARDS,&,BEST,PRACTICES

proven that up to 82% of continuity projects fail to meet their intended scope, schedule, or budget goals. A primary reason for these failures is that organizations are often using a single process for operations and recovery (e.g., ISO, ASIS, NIMS), rather than leveraging multiple processes simultaneously. Because

DOCUMENT CURRENT,STATE

RESOLVE WEAK AREAS

DEVELOP MITIGATION, STRATEGIES

ENSURE SUSTAINABILITY,&, COMPLIANCE

TRAINING'&'AUDIT

organizations have multiple stakeholders from different sectors (e.g., financial, IT, logistics), they should use integrated processes to provide complete recovery project coverage and operational refinement. This is especially true given the considerable coordination and collaboration each sector requires during emergencies. Reliable BCM systems incorporating integrated process solutions, standards, and best practices will by their nature continually drive organizations to analyze their respective enterprise and stakeholder needs. This approach will also define evolutionary (not revolutionary) processes that will contribute to the overall success. Using industry standards and best practices will provide a solid foundation to build BCM and BIA policies, processes, and procedures with a built-in quality assurance program designed for continuous improvements. The system of standards and practices to be used should at least include: Federal Emergency Management Agency (e.g., Incident Command) International Standards Organization (e.g., Risk, Security, & Service Management) National Institute of Standards and Technology (e.g., Safety, Security, Science) Project Management Institute (e.g., Scope, Schedule, Budget, Communications) Lean / Six Sigma (e.g., Gap Analysis, Continuous Improvement, Control)

B C M P r o f e s s i o n a l s!

Managing C3 Risks During Disaster Recovery Operations

Core Competencies Needed to Achieve the C3 Solution

Emergencies are not simply tied to natural disasters or IT system failures. That said, fundamental BCM system standards require leadership to demonstrate its commitment to continuity and sustainability, to ensure continued support from stakeholders and stockholders. This seemingly clear and simple statement is the very cornerstone where need to illustrate their ability to sustain effective operational governance even when significant changes and unplanned events occur. To achieve the desired command, control, and communication results risk assessments and their resulting BCM policies and procedures should be facilitated and executed by competently trained and experienced personnel to ensure continuity of operations. In keeping with industry standards and practices, the respective deliverables should then be used to provide training and awareness programs for the organizational membership, to ensure continuity and sustainability emplacements for normal and emergency operations. Deviating from this approach increases the probability of failure resulting in lost time, monies, and people (e.g., stress related illness, injuries, lineofduty death, suicide).

Conclusion
This paper successfully illustrated the differences between continuity, disasters, and disaster recovery. Equally, it provided a straightforward solution for leadership to effectively manage command, control, and communication risks using integrated industry standards and best practices. This was an essential mean to reduce opportunity costs resulting from disasters. Following these guidelines will provide enterprises with continuity and sustainability for the long term.

B C M P r o f e s s i o n a l s!

Managing C3 Risks During Disaster Recovery Operations

About the Author

Shane Molinari has been providing full lifecycle Security and Emergency Management solutions to businesses and public sector agencies for more than 16 years. As a seasoned professional with integrated enterprise processes, his successes include recovering large-scale programs valued at more than $400M and small scale projects alike, each with measurable results to ensure the success of the business. Shane speaks and writes on the values of integrated processes, IT/Governance, and Dynamic Strategic Planning to ensure organizational sustainability. He lectures on IT/Governance and is an accomplished Lean Six Sigma instructor. His latest papers include: Don't Put All of Your Eggs In One Basket-The Use of Multiple Processes to Prevent Project Failure and Establishing a Sustainable IT Governance: Bridging the Gap Between Enterprise Business and IT. He is currently a doctoral candidate for Emergency Management and holds multiple professional certifications including Project Management Professional (PMP), Certified Information System Security Professional (CISSP), IT Service Management, and Six Sigma Master Black Belt (SSMBB). Shane can be reached through his email address shanem@BCMProfessionals.com, his office phone 888-587-4769 or his mobile phone 850625-2491.

References
ASIS International. (2010). Business Continuity Management Systems: ASIS/BSI BCM.01-2010American National Standard. ASIS International and British Standards Institute: United Kingdom Department of Homeland Security. (2009). FEMA-IS-700.A: National Incident Management System, An Introduction Instructor Guide.

B C M P r o f e s s i o n a l s!

Managing C3 Risks During Disaster Recovery Operations

Hewlett-Packard Development Company, L.P. (2009) Four Starting Points for Effective IT Project and Portfolio Management. Retrieved January 31, 2010 from http://www.hp.com/hpinfo/newsroom/press_kits/2009/lasvegasevents2009/WP_4s tartingpoints.pdf IT Governance Institute (ITGI). (2007). COBiT 4.1: Framework, Control Objectives, Management Guidelines, and Maturity Models. Rolling Meadows: ITGI. IT Governance Institute (ITGI). (2009). Retrieved on January 31, 2010 from http://www.itgi.org/template_ITGI.cfm?Section=About_IT_Governance1&Template= /ContentManagement/HTMLDisplay.cfm&ContentID=19657 Mohanty, P. (2009). Using e-Tools for Good Governance & Administrative Reforms. Retrieved January 16, 2010 from http://www.cgg.gov.in/workingpapers/eGovPaperARC.pdf Molinari, S. (2008). Bridging the Gap Between Enterprise Business and IT. Retrieved from http://www.scribd.com/doc/45833126/20080326-SMolinari-Bridging-the-Gap-Betwee n-Enterprise-Business-and-IT National Research Council. (2006). Facing Hazards and Disasters: Understanding Human Dimensions Committee on Disaster Research in the Social Sciences: Future Challenges and Opportunities. Washington, DC: The National Academies Press Project Management Institute (PMI). (2004). A Guide to the Project Management Body of Knowledge: PMBOK Guide, 3rd Edition. Newtown Square: Project Management Institute. TIBCO. (2009). The Role of Governance in Ensuring SOA Success. Retrieved January 31, 2010 from http://www.tibco.com/multimedia/wp-role-of-governance-ensuring-soa-success_tcm 8-8998.pdf Warkentin, M., Moore, R., Bekkering, E., & Johnston, A. (2009). Analysis of Systems Development Project Risks: An Integrative Framework. ACM SIGMIS Database, 40(2), 827

B C M P r o f e s s i o n a l s!

Managing C3 Risks During Disaster Recovery Operations