Professional Documents
Culture Documents
Managing Command, Control, and Communication (C3) Risks During Disaster Recovery Operations
Managing Command, Control, and Communication (C3) Risks During Disaster Recovery Operations
Managing Command, Control, and Communication (C3) Risks During Disaster Recovery Operations
Shane Molinari, MSc, CISSP, PMP, ITSM, SSMBB Principal, BCM Professionals
H Q : 3 7 8 5 C h a n t i c l e e r C o u r t , Ta l l a h a s s e e , F l o r i d a Te l e p h o n e : 8 8 8 - 5 8 7 - 4 7 6 9 U R L : B C M P r o s . c o m
Introduction
2011 statistics demonstrate that private and public sector organizations realized significant security and disaster recovery Command, Control, and Communications (C 3) impacts resulting from a lack of actionable governance and processes. Diminished communications between operations staff and stakeholders has led to significant rework, recovery cost overruns, failed businesses, and stress related illness, injuries, and death.
Natural Disasters
90% of the deaths were due to storms with the majority dying from exposure. This carried a price tag of $46.8B USD (NOAA)
Data Breeches
The cost of data breeches was $57B USD, exceeding drug trafficking for the first time (Experian and the Dept. of Justice)
Workplace Violence
Key homocide victims were in the 20-24 years age group with 71% being killed by strangers (Dept. of Justice)
This paper will provide a straightforward solution that will reduce the aforementioned cost of disasters, based on scholarly research, using the fundamental principles of industry standards and best practices. First, the relationships between the disaster recovery operational members regarding the essence of C 3 will be highlighted. This is essential in governance to ensure: The disaster recovery project meets the organizational objectives and goals of efficiency and effective operations Sustainable communications and information security management, regarding lines of communications internal and external to the response team, which is needed to prevent rumor mills and suppress unauthorized communiques going out to the general public Managing operational stressors affecting team members during recovery efforts The process will begin with defining continuity, disaster, and disaster recovery. The terminology needs to be clear while moving through the process. Next will be listed the C3 steps that need to be taken, how to achieve the solution, and more importantly,
B C M P r o f e s s i o n a l s!
what core competencies will be needed to establish and maintain the respective command, control, and communications during routine and emergency operations. The goal of this paper is to ensure organizational leadership has information that will aid them in recovering more effectively and efficiently. The objective is to provide the reader with a knowledge share and a quality source of intelligence.
Disaster recovery can now be defined as restoring resources (i.e., personnel, equipment, supplies, and facilities) to their operational location and status. It should be noted here for the sake of clarity that the only true exception to recovery is the death of a person.
B C M P r o f e s s i o n a l s!
Solution Discussion
Time is a precious resource, especially in disaster recovery. Establishing an business continuity governance frameworkas a formal deliverable with financial, logistical, and administrative policies, procedures, and processesshould be straightforward and deliberate. Leveraging integrated guidelines and standards (e.g., NIMS, COBIT, PMI, ASIS, ISO) is a proven means to achieving Business Continuity Management (BCM) goals the right way the first time.
stakeholders. Governance consists of the leadership and organizational structures and processes that ensures sustainability and extends the enterprises' recovery strategies and objectives. Aligning recovery-services reduces lost monies from inefficient operations and increases recovery teams motivation and commitment to the organization, which are
Infrastructure
critical long-term success factors. It is crucial to visualize governance with integrated resources (i.e., people, technology, infrastructure). Research has already demonstrated that leveraging this systematic approach leads to a robust performance and higher trust factors, manifested by strong horizontal ties across the crisis management divisions (e.g., operations, logistics, IT/IS Support) and vertical ties between the response team members and stakeholders (e.g., stockholders and clients). Consequently, these conditions foster strong levels of collective actions where there is a high degree of sustainable continuity program designs, localized needs, and capacities for assisting one another during high-stress recovery operations.
B C M P r o f e s s i o n a l s!
C3 Solution: What To Do
It is all too common that during a disaster aftermath, there is consensus among stakeholders to build long-term risk management considerations into the reconstruction of devastated areas. Equally common, as the memory of the disaster fades, commitment tends to wane and consensus for long-range risk management planning disintegrates. To avoid this situation, ensure the elements of risk management are aligned and integrated with the respective strategic mission and objectives. This includes establishing BCM and Business Impact Analysis (BIA) that conforms to standards and the evolutionary needs of the stakeholders involved in disaster recovery operations. This is important to efficiently address and improve the responders ability to effectively manage business operations during and after disruptive incidents. To accurately reflect the risk profile, data should be gathered by a competently trained team to ensure the financial, technical, and physical sample data collected are representative of the respective (i.e., no quick and easy cookie cutter plans) organizational resources. The data should also be inventoried and categorized by kind and type, including their size, capacity, capability, skills, and other characteristics (e.g., readiness and credentials). These records need to be continually maintained through periodic training and exercises, using experienced personnel, standards, and best practices to ensure resource accountability, responder safety, and an overall effective use of incident resources. Finally, the use of formal methodologies and key performance measurements ensure the reduction of vulnerability and enhancement of resilience to disasters. Examples include: risk management cost-effectiveness methodologies and analyses, investigation of
C3
Risk Management Strategic Alignment Resource Management Value Delivery
Governance
Performance Management
COOKIE CUTTER
B C M P r o f e s s i o n a l s!
intrasocietal impacts of catastrophic events, research on decision making and risk perceptions, and research on implementation of risk management and mitigation programs.
C3 Solution: How To Do It
Scholarly research statistics have
STANDARDS,&,BEST,PRACTICES
proven that up to 82% of continuity projects fail to meet their intended scope, schedule, or budget goals. A primary reason for these failures is that organizations are often using a single process for operations and recovery (e.g., ISO, ASIS, NIMS), rather than leveraging multiple processes simultaneously. Because
DOCUMENT CURRENT,STATE
TRAINING'&'AUDIT
organizations have multiple stakeholders from different sectors (e.g., financial, IT, logistics), they should use integrated processes to provide complete recovery project coverage and operational refinement. This is especially true given the considerable coordination and collaboration each sector requires during emergencies. Reliable BCM systems incorporating integrated process solutions, standards, and best practices will by their nature continually drive organizations to analyze their respective enterprise and stakeholder needs. This approach will also define evolutionary (not revolutionary) processes that will contribute to the overall success. Using industry standards and best practices will provide a solid foundation to build BCM and BIA policies, processes, and procedures with a built-in quality assurance program designed for continuous improvements. The system of standards and practices to be used should at least include: Federal Emergency Management Agency (e.g., Incident Command) International Standards Organization (e.g., Risk, Security, & Service Management) National Institute of Standards and Technology (e.g., Safety, Security, Science) Project Management Institute (e.g., Scope, Schedule, Budget, Communications) Lean / Six Sigma (e.g., Gap Analysis, Continuous Improvement, Control)
B C M P r o f e s s i o n a l s!
Conclusion
This paper successfully illustrated the differences between continuity, disasters, and disaster recovery. Equally, it provided a straightforward solution for leadership to effectively manage command, control, and communication risks using integrated industry standards and best practices. This was an essential mean to reduce opportunity costs resulting from disasters. Following these guidelines will provide enterprises with continuity and sustainability for the long term.
B C M P r o f e s s i o n a l s!
References
ASIS International. (2010). Business Continuity Management Systems: ASIS/BSI BCM.01-2010American National Standard. ASIS International and British Standards Institute: United Kingdom Department of Homeland Security. (2009). FEMA-IS-700.A: National Incident Management System, An Introduction Instructor Guide.
B C M P r o f e s s i o n a l s!
Hewlett-Packard Development Company, L.P. (2009) Four Starting Points for Effective IT Project and Portfolio Management. Retrieved January 31, 2010 from http://www.hp.com/hpinfo/newsroom/press_kits/2009/lasvegasevents2009/WP_4s tartingpoints.pdf IT Governance Institute (ITGI). (2007). COBiT 4.1: Framework, Control Objectives, Management Guidelines, and Maturity Models. Rolling Meadows: ITGI. IT Governance Institute (ITGI). (2009). Retrieved on January 31, 2010 from http://www.itgi.org/template_ITGI.cfm?Section=About_IT_Governance1&Template= /ContentManagement/HTMLDisplay.cfm&ContentID=19657 Mohanty, P. (2009). Using e-Tools for Good Governance & Administrative Reforms. Retrieved January 16, 2010 from http://www.cgg.gov.in/workingpapers/eGovPaperARC.pdf Molinari, S. (2008). Bridging the Gap Between Enterprise Business and IT. Retrieved from http://www.scribd.com/doc/45833126/20080326-SMolinari-Bridging-the-Gap-Betwee n-Enterprise-Business-and-IT National Research Council. (2006). Facing Hazards and Disasters: Understanding Human Dimensions Committee on Disaster Research in the Social Sciences: Future Challenges and Opportunities. Washington, DC: The National Academies Press Project Management Institute (PMI). (2004). A Guide to the Project Management Body of Knowledge: PMBOK Guide, 3rd Edition. Newtown Square: Project Management Institute. TIBCO. (2009). The Role of Governance in Ensuring SOA Success. Retrieved January 31, 2010 from http://www.tibco.com/multimedia/wp-role-of-governance-ensuring-soa-success_tcm 8-8998.pdf Warkentin, M., Moore, R., Bekkering, E., & Johnston, A. (2009). Analysis of Systems Development Project Risks: An Integrative Framework. ACM SIGMIS Database, 40(2), 827
B C M P r o f e s s i o n a l s!