2007 03 Global Assurance Magazine

March 2007 • Volume 4 • Issue 3

Are We FullyPrepared?Identifying pitfalls of businesscontinuity planning

N a t i o n a l N e w s • I n t e r n a t i o n a l N e w s • P r o d u c t s • E v e n t s

Where business continuity, security and emergency management converge.

Also…

Predicting Hurricanes

Taking the Fear Out of BC Exercises: A Blueprint for Success

Are We FullyPrepared?Identifying pitfalls of businesscontinuity planning

2 | CPM-GA March 2007

GlobalAssurance

F E AT U R E S

3 Predicting HurricanesTimes have changed

14 Taking the Fear Out of BCExercisesPart II: Design for disaster

18 Are We Fully Prepared?Identifying pitfalls of business continuity planning

IN THIS ISSUE…3

15

CPM-Global Assurance is a monthly subscription-based newsletter. It addresses the strategic integration of business continuity, security, emergency management, riskmanagement, compliance and auditing to ensure continuity of operations in business andgovernment — all within the context of good corporate governance. To subscribe to thisunique resource, please fill out and fax back the subscription coupon on the back page.

CPM-Global Assurance (ISSN #1547-8904) is published monthly by The CPM Group, 3141 Fairview ParkDr., Suite 777, Falls Church, VA 22042.

© Entire contents copyright 2007. No portion of this publication may be reproduced in any form with-out written permission of the editor. Views expressed by the bylined contributors and sources citedshould not be construed as reflecting the opinions and/or advice of this publication. Publication ofproduct/service information should not be deemed as a recommendation by the editor. Editorial con-tributions are accepted from the contingency planning community. Contact the editor for details.Product/service information should be submitted in accordance with guidelines available from the edi-tor. Editorial closing date is two months prior to the month of publication.

The CPM Group publishes CPM-Global Assurance and produces the CPM trade shows. Printed in the USA.

Editor in Chief:DEVEN KICHLINE

[email protected]

Group Publisher:RUSSELL LINDSAY

[email protected]

Director, Event Planning & Marketing:KRISTIE O'KEEFE

[email protected]

Manager, Event Planning & Marketing: COURTNEY WITTER

[email protected]

CPM-GlobalAssurance Contacts

National News . . . . . . . . . . . 9

International News . . . . . . . 12

Events Calendar . . . . . . . . . 17

Products . . . . . . . . . . . . . . . . 21

D E P A R T M E N T S

The CPM Group3141 Fairview Park Dr., Suite 777

Falls Church, VA 22042www.contingencyplanning.com

Fax: 609-397-5520

Exhibit Sales/List Rentals: BRAD LEWIS

[email protected]

www.ContingencyPlanning.com | 3

PredictingHurricanes

Times have changed

V iewed from above, hurricanes appear as majestic stormscomprised of towering thunderstorms spiraling around

an often calm and clear center called an eye. But below theclouds are destructive winds, towering waves and torrentialrainfall. Over water, hurricanes torment ships and can dis-rupt commerce. Over land, hurricanes cause considerableproperty damage, unleash flash flooding and spawn killertornadoes.

And such a storm can strike with little or no warning. Aday begins innocently enough; then, suddenly, it becomesovercast and breezes steadily increase. Howling winds drivesheets of torrential rain while toppling trees, snappingpower lines and destroying homes. Even with advance noti-fication, these are potentially deadly conditions. But, in thenot-so-distant past, the absence of an Earth- and space-based detection network allowed hurricanes to make sur-prise entrances.

Knowing where and when a hurricane will strike and howstrong it will be are the fundamental issues that challengemeteorologists, as their decisions impact life-saving pre-paredness plans. Advances in the last half-century havebrought tremendous improvements in hurricane forecastingand, despite a growing coastal population, have yielded a


dramatic decline in hurricane-related fatalities. Today, theNational Oceanic & Atmospheric Administration (NOAA) usesan arsenal of forecasters, instruments, and computer-basedtools to produce the best possible storm projections thatextend days into the future.

NOAA’s investment in ocean and atmospheric research, cou-pled with technological advancements, has led to a remarkabletransformation in hurricane monitoring and forecasting.Emerging from these combined factors has come intricate com-puter modeling, a vast network of ground- and ocean-basedsensors, satellites and Hurricane Hunter aircraft. Accurate pre-dictions of storm track and intensity are key to helping NOAAprotect life and property.

LIMITED WARNINGHurricane forecasts were once solely dependent upon relative-ly sparse observations of sky and water conditions, along withoccasional ship reports of turbulent weather in the ocean.Attaining the limited data that was available was time-consum-ing and resulted in hand-drawn maps that displayed only a par-

tial picture of what was actually occurring. Lacking a com-plete analysis of current weather patterns, in conjunctionwith insufficient knowledge of tropical meteorology, fore-casts for tropical storms and hurricanes were deficient.These limited forecasts left little time for preparation beforea hurricane struck.

Without advanced preparation, hurricanes are lethal. OnNOAA’s list of the deadliest hurricanes to strike the UnitedStates, the overwhelming majority of storms occurred beforehurricane prediction reached levels necessary to adequatelyserve the public.

Among noteworthy lethal hurricanes to strike the UnitedStates are:• The Galveston (Texas) Hurricane of 1900, which resulted

in a death toll of up to 12,000. • The Lake Okeechobee (Florida) Hurricane of 1928, which

was responsible for at least 2,500 fatalities. • The Hurricane of 1938, which struck Long Island, New

York and New England with a mere four hours advancewarning and left approximately 600 individuals dead.

This map shows U.S. hurricane strikes between 1950 and 2005. Photos courtesy of NOAA


Armed with a greater understanding of a hurricane’s life cycle,along with a more robust automated observation network,today’s meteorologists can produce hurricane forecasts withgreater precision. With NOAA’s National Hurricane Center,NOAA’s Central Pacific Hurricane Center and local NationalWeather Service forecast offices across the country, NOAA isconstantly monitoring the tropics, from Guam in the westernPacific Ocean to the west coast of northern Africa, looking forstorms.

Routine hurricane track forecasts for the Atlantic Basin(the Atlantic Ocean, Gulf of Mexico and Caribbean Sea)began in 1954 and could only provide information one dayinto the future. Forecasts were expanded to provide twodays advance notice in 1961 and three days in 1964. Threedays remained the standard for advance hurricane forecaststhrough 2002.

In 2003, boosted by the reliability of computer models,NOAA began issuing forecasts out to five days in advance. Inaddition to helping the public and local officials prepare forimpending hurricane landfalls, this recent forecast extension

helps the U.S. Navy ensure ships are safely removed from astorm’s path.

TACKLING KATRINAThe forecasted track of Hurricane Katrina is one example ofNOAA’s modern-day forecast accuracy. As Katrina enteredSouth Florida as a newly upgraded hurricane, NationalHurricane Center forecasters knew the storm’s future pathwould take it over the energizing warm waters of the Gulf ofMexico before threatening the northern Gulf Coast. For a con-sistent 56 hours before landfall, the National Hurricane Centerpredicted the center of Katrina would specifically strike south-east Louisiana as a “major” hurricane.

While hurricanes remain one of nature’s most violent anddestructive storms, and modern research strives to furtherimprove the forecast of hurricane track and intensity, long goneare the days of surprise storms that go undetected until it is toolate to prepare.

Achievements in hurricane forecasting are rooted in thegrowing number and integrity of data collection tools. From

Damage from the Galveston Hurricane of 1900 was caused by the hurricane and resulting storm surge. This was the greatest natural disas-ter in terms of loss of life in U.S. history.


buoys in the ocean to land-based radars to Hurricane Hunteraircraft and satellites, these instrument networks are perpetual-ly taking the pulse of the planet and feeding forecasters criticaldata.

AIRCRAFTGathering data from within, above and around hurricanes areaircraft operated by NOAA and the U.S. Air Force (USAF).Since the first intentional flight into a hurricane approachingGalveston, Texas, in late July 1943, NOAA and the USAF nowroutinely fly into storms that are a potential threat to theUnited States. Onboard radar and dropwindsondes, which areejected from the plane’s belly to measure a cross-section of ahurricane’s pressure, temperature, humidity and wind, provideNOAA meteorologists with data of unmatched density.

SATELLITESSatellites have greatly improved hurricane forecasting with

their ability to provide informative snapshots of Earth. April 1,1960, marked the first launch of a weather satellite. Since then,satellites have become increasingly mature in their ability toanalyze cloud structures as well as read the temperature ofocean surfaces.

NOAA’s National Environmental Satellite, Data andInformation Service supports two types of satellites: geostation-ary operational environmental satellites (GOES) for national,regional and short-range forecasting and polar-orbiting opera-tional environmental satellites (POES) for global, long-termforecasting and environmental monitoring. Together, GOESand POES complete a global weather satellite monitoring sys-tem, tracking atmospheric variables, such as temperature, andproviding atmospheric data and cloud images needed to trackand understand hurricanes.

WEATHER RADARWeather radar, first introduced in the late 1950s, underwent a

Southeast Louisiana remained in Katrina’s projected landfall from the National Hurricane Center for a full 56 hours prior to the storm com-ing ashore near Buras, Louisiana, at 6:10 a.m. CT on August 29, 2005.


rebirth during the modernization of NOAA’s National WeatherService in the late 1980s and early 1990s. Today, a total of 155WSR-88 Doppler radars constantly scan the skies over theUnited States and its territories. Doppler radar reads precipita-tion intensity and movement and a variety of wind data acrossa wide column of the atmosphere, providing forecasters with avaluable cross-section analysis of a storm.

BUOYS AND FLOATSBuoys and floats peppered throughout the oceans transmit avariety of valuable data at and below the ocean surface, includ-ing air and water temperature, wave height and wind directionand speed. Operated by NOAA’s National Data Buoy Center,the existing network of buoys is being enhanced with the addi-tion of eight more hurricane buoys in the western AtlanticOcean, which will allow NOAA to attain more data in an areawhere hurricanes frequently occur.

COMPUTER FORECAST MODELSAll of the observation elements mentioned above, as well as

other sensors, provide essential data points that feed NOAA’scomputer forecast models, which calculate likely future weath-er behavior. A more complete, current picture of a hurricaneand its environment (the ocean and atmosphere) provided byland-, air-, ocean- and space-based sensors permits more accu-rate model projection. The mathematical representation forsuch computer forecast models is becoming more detailed andcan better model a hurricane’s interactions with its surround-ings, ultimately producing better forecasts.

For example, recent computer model upgrades have featureda better reflection of the “loop current” in the Gulf of Mexico.This narrow ribbon of very warm water can provide hurricaneswith added fuel that allows them to strengthen rapidly. Themodel’s ability to project such intensification is invaluable, as itis detrimental to determining the extent of hurricane evacua-tions.

Not only has NOAA become proficient in forecasting indi-vidual storms, but also the evolving understanding of globalocean and atmospheric patterns has allowed NOAA to pro-duce seasonal outlooks extending through the entire six-

Satellite images, such as this image of Hurricane Rita approaching the Gulf Coast, provide valuable information needed to monitor tropicalstorms.


month hurricane season (June toNovember). These outlooks project thenumber of tropical storms, hurricanes andmajor hurricanes (Category 3 and higher)likely to form in each basin that NOAA isresponsible for (including the AtlanticBasin and the Eastern and Central PacificBasins).

Delving through the past shows how farour ability to predict hurricanes has come.With further improvements on the horizonled by an increasingly dense network ofobservations and sophisticated computermodels, NOAA seeks to produce forecastswith even greater specificity. Working withthe media, partner organizations and emer-gency officials and through enhanced out-reach, NOAA aims to educate the publicon taking proactive measures to lessen theimpacts of hurricanes.

Whether NOAA is forecasting an above-average hurricane season, similar to therecord-setting 2005 season with 28 stormsand 15 hurricanes, or a below-average sea-son for a given year, their fundamentaladvice remains the same: be prepared. Itonly takes one storm for it to be a bad sea-son. After all, it may not be a matter of if ahurricane will strike; but rather a matter ofwhen.

— NOAA

ReferencesHughes, P. (1976). American WeatherStories. Washington: U.S. Department ofCommerce, National Oceanic andAtmospheric Administration, EnvironmentalData Service.

NOAA. (2005). NOAA deploys seven newhurricane buoys. Retrieved January 22,2007, from: http://www.noaanews.noaa.gov/stories2005/s2458.htm.

Sheets, R.C. (1990). National HurricaneCenter: Past, Present and Future. Weatherand Forecasting, 5, 2. Retrieved January 22,2007, from: http://ams.allenpress.com/p e r l s e r v / ? r e q u e s t = g e t - a b s t r a c t &d o i = 10 .117 5 % 2 F 15 2 0 - 0 4 3 4 ( 19 9 0 )005%3C0185%3ATNHCPA%3E2.0.CO%3B2.

Hurricane buoys before being deployed from Gulfport, Mississippi.


NATIONAL NEWSTAX ATTACKSAs the April 17 tax filing deadline approach-es, cyber fraudsters are planning their attackon online tax filers to steal confidential infor-mation. Websense Inc., San Diego, Calif., aprovider of Web security and Web filteringproductivity software, has announced thatWebsense® Security Labs™ has seen a risein phishing attacks via fraudulent e-mails andWeb sites that spoof the Internal RevenueService (IRS). Since December 2005,Websense Security Labs has been workingtogether with the IRS and other organiza-tions to investigate the rise of tax scams andbetter protect consumers and employeecomputing environments from increasinglysophisticated and dangerous Internet securi-ty threats.

Websense Security Labs has discoveredtax attacks targeting the United States in sev-eral countries hosted on compromised Webservers. For example, one of the largest IRSphishing campaigns claims that the taxpayeris eligible for a refund and needs to log on toa Web site to verify their information. Usersreceive one of a variety of e-mail messageswith a link to a fraudulent Web site. Uponaccessing the spoofed tax Web site, the useris then forwarded to a fraudulent site thatrequests credit card information and otherpersonal identifiers. The intent of theseattacks is to dupe users into revealing confi-dential information, which can be used forwithdrawing funds.

Phishing can present a serious security riskfor consumers and organizations. Phishersare becoming more sophisticated in theirdeception techniques to lure employees tospoofed Web sites, as most employees can-not determine which is a genuine site andwhich is a fake; however, employees don’thave to “fall for the phish” and actually enterconfidential information on a phishing Website to be compromised. For example, recenttrends indicate that by just visiting a Web site,many types of phishing URLs can install spy-ware, such as a malicious keylogger, whichhas the ability to capture data including net-

work passwords or social security numberswithout their knowledge. It only takes oneemployee to click on a phishing site and acci-dentally give out confidential corporate data,customer records, network passwords ortrade secrets to jeopardize an entire organi-zation’s intellectual property.

“Cyber thieves sit back and wait for cur-rent events, such as tax season, which pro-vide an opportunity to manipulate for mon-etary rewards,” says Dan Hubbard, seniordirector, security and technology research,Websense Inc. “With tens of millions ofonline users filing their taxes on the Internet,many Web filers readily disclose personalidentifiers such as network passwords, socialsecurity numbers, bank account numbers ortheir mother’s maiden name. The combina-tion of having a large pool of potential usersto target and the timeliness of the currentevent could lead to high numbers of bothconsumer and corporate victims.”

According to the IRS, 68.5 million taxreturns were e-filed in 2005, and that num-ber is predicted to increase at a record pacethis year. The IRS also expects fraudattempts to rise and has published its ownwarnings in an attempt to educate the pub-

lic on these scams. According to the IRS Website, fraudulent e-mails appearing to comefrom the e-mail protected from spam bots, e-mail protected from spam bots or othersimilar irs.gov themed addresses offer a taxrefund and direct recipients to a link contained in the e-mail. The link directs usersto a clone of the IRS Web site that is modi-fied to ask for personal and financial information not required by the real IRSpage. Furthermore, through its own research, Websense Security Labs found thatmany of the sites have similar characteristicsin their URL paths and include /IRS/claim-refund/caseid or /.www.irs.gov in the path.

Web filers can avoid tax attacks and otherInternet security threats by taking a few sim-ple measures. For example, the IRS recom-mends not to click on any links in suspiciouse-mails; instead go directly to the IRS Website: www.irs.gov.

In addition, companies seeking to protecttheir employees from phishing scams canemploy Web filtering and Web security soft-ware to prevent users from accessing sitesassociated with fraudulent online activitiessuch as phishing.

— Websense Inc.

DHS ISSUES PROPOSAL FOR STATESTO ENHANCE DRIVER’S LICENSESThe Department of Homeland Security(DHS) has announced its proposal to estab-lish minimum standards for state-issued dri-ver’s licenses and identification cards in com-pliance with the REAL ID Act of 2005. TheREAL ID requirements are a result of rec-ommendations made by the 9/11Commission, which Congress passed intolaw, and will enhance the security andintegrity of driver’s licenses.

“Raising the security standards on driver’slicenses establishes another layer of protec-tion to prevent terrorists from obtaining andusing fake documents to plan or carry out anattack. These standards correct glaring vul-nerabilities exploited by some of the 9/11hijackers who used fraudulently obtained

GlobalAssurance


drivers licenses to board the airplanes in theirattack against America,” says HomelandSecurity Secretary Michael Chertoff. “We willwork closely with states to implement thesestandards and protect Americans’ privacyagainst identity theft and the use of fraudu-lent documents. We are also pleased to havebeen able to work with Senator SusanCollins, R-Maine, and I believe that the pro-posed regulations reflect her approach.”

The department’s proposed regulations setstandards for states to meet the requirementsof the REAL ID Act, including: security fea-tures that must be incorporated into eachcard; verification of information provided byapplicants to establish their identity and law-ful status in the United States; and physicalsecurity standards for locations where licens-es and identification cards are issued.

As proposed, a REAL ID driver’s licensewill be required in order to access a federalfacility, board federally-regulated commercialaircraft and enter nuclear power plants.Because states may have difficulty complyingbefore the May 11, 2008, deadline, DHS willgrant an extension of the compliance dead-line until Dec. 31, 2009. States that havereceived extensions will, over the course ofthe waiver period, submit proposed timeta-bles for compliance.

DHS has also announced that up to 20percent of a state’s Homeland Security GrantProgram funds can be used to help imple-ment REAL ID. This additional flexibility willbe made available during the current 2007grant cycle.

In May 2005, President Bush signed the“Emergency Supplemental AppropriationsAct for Defense, the Global War on Terrorand Tsunami Relief Act” into law. Among theprovisions contained in the law was theREAL ID Act.

The proposed regulations have been sub-mitted to the Federal Register for a 60-daypublic comment period.

— DHS

STATE, LOCAL TRIBAL OFFICIALS TOGET NEW COORDINATEDINTELLIGENCE SERVICESA new federal intelligence coordinatinggroup has been established to provide state,

local and tribal government officials andemergency management operations withinformation related to terrorism threats, dis-asters and other related topics, which will bespecifically targeted based on individualneeds, reports Federal Computer Week.

According to Lora Becker, the incomingdirector of the interagency federal state andlocal threat reporting and assessments coor-dination group, there is a need “for a unifiedvoice,” in federal communications and thatthe new analysis “is tailored to the needs of[state, local and tribal intelligence users] andadvocating for those same customers.”

The intelligence provided will not “gener-ate alerts, warnings or updates on homelandsecurity threats. Its analysts will providestrategic assessments of threats and dissemi-nate them through established routes, suchas the FBI’s Joint Terrorism Task Forces andthe dozens of technology-rich state informa-tion fusion centers.”

Additionally, there will be a cross-pollina-tion of federal intelligence agents workingwith state and local officials at the statefusion centers to provide a more balancedintelligence dissemination and analyzationprocess. According to Michael Mines, the FBIdeputy assistant director for the intelligencedirectorate, “the FBI sees these centers as anatural bridge to the joint terrorist taskforces.We have over 100 analysts assigned to the42 fusion centers.”

— National Council on Readiness and Preparedness

CONFLICTING SIGNALS CANCONFUSE RESCUE ROBOTSSensor-laden robots capable of vital searchand rescue missions at disaster sites are nofigment of a science fiction writer’s imagina-tion. Prototypes and commercial models ofurban search and rescue (US&R) robots willsoon begin to work rubble piles across thecountry. Too many of these lifesaving robots,however, could be too much of a goodthing, according to researchers at theNational Institute of Standards andTechnology (NIST), who report that theradio transmissions of multiple robots caninterfere with each other and degrade searchand rescue performance.

A NIST analysis of wireless radio field tri-als for US&R robots found that 10 out of the14 robots tested experienced communica-tion problems due to radio interference fromother systems. Engineers carried out tests onthe robots last August at a US&R robot stan-dards development gathering inGaithersburg, Md., sponsored by theDepartment of Homeland Security. Theresearchers found that neither use of “indus-trial, scientific and medical” (ISM) frequencybands nor adherence to protocols designedto minimize interference between systems inthe bands could guarantee flawless commu-nication between a robot and its humanoperator. Radio interference could happenwhenever the ISM frequency bands becamecrowded or when one user had a muchhigher output power than the others. Anexample of the latter problem occurred dur-ing the tests when transmitters in the 1760MHz band knocked out video links in the2.4 GHz frequency band. In another case, arobot using an 802.11b signal in the 2.4 GHzband overwhelmed and cut off a robot thathad been transmitting an analog video link at2.414 GHz.

The NIST paper lists a number of ways toimprove urban search and rescue wirelesscommunications. Options, some of whichare currently being investigated by robotmanufacturers, include changes in frequencycoordination, transmission protocols, poweroutput, access priority and using relay trans-formers to increase the range of wirelesstransmissions (a technique known as multi-hop communications). The paper also sug-gests establishing new access schemes or soft-ware-defined radios that allow interoperablecommunications.

The work is funded by DHS’s Scienceand Technology Directorate through NIST’sOffice of Law Enforcement Standards.

— NIST

SURVEY SHOWS AMERICANS FEELGOVERNMENT UNPREPARED FORAVIAN FLU PANDEMIC Recently, the International Association ofMedicinal Compliance (IAMC) was in atten-dance at the Business Planning for PandemicSummit, a national summit with a participa-

GlobalAssurance National News


tion of more than 250 attendees represent-ing 195 organizations and 40 states. Hostedby the Center for Infectious DiseaseResearch and Planning (CIDRAP) at theUniversity of Minnesota, the summit provid-ed an opportunity for companies fromindustries in all sectors to come together anddiscuss the threat of an avian flu pandemic.Attendees heard presentations thataddressed legal, healthcare, infrastructure,human resource, transportation and govern-ment support issues that affect companies inall industries. Across the two-day meeting,participants were given the chance to discussspecific industry needs and begin plans forcontinuity during an influenza pandemic.Alarmingly, 53 percent of participants feelthe government is not well-prepared. Assuch, 76 percent say that social unrest anddisruption will occur if a pandemic doesoccur.

In the event of a pandemic, it will beimperative to public health and order todevelop effective and timely influenza plans.As the nation learned in the cases of 9/11and Hurricane Katrina, the government, onboth state and federal levels, needs to beprepared for a worst-case scenario situation,or else it will inevitably be unprepared. Thesummit was designed to enable businessleaders, government officials, business-relat-ed organization officials and media to identi-fy their roles and responsibilities in definingand executing a preparedness plan. In doingso, these leaders focused on critical riskassessment and mitigation, public policy,legal, supply chain and human resource plan-ning for business continuity during a pan-demic. Featured speakers included MichaelLeavitt, the U.S. Secretary of Health andHuman Services, Michael Osterholm, theDirector of CIDRAP, Ted Koppel, formeranchor and managing editor of Nightlineand ABC News, and Tommy Thompson, theformer U.S. Secretary of Health and HumanServices.

Surprisingly, most of these participants,who are heavily associated with governmentfunctions, seemed disheartened by andweary of the government’s avian flu pre-paredness. According to Arne Carlson, theformer governor of Minnesota, “We have not

seen an acceptable government response.We only have the ability to handle tragedieswith good leadership. The leadership needsto get out in front and say, ‘Here’s whataffects us. Here’s how much it costs.’”

Similarly, Osterholm says, “SARS hap-pened in the speed of hours/days and thatwas a smaller scale than this. This could hap-pen overnight.”

Seventy-three percent of participants feltthat government intervention would have amajor impact on their business. Accordingly,67 percent felt that developing relationshipswith state and local officials at this timewould be essential to offsetting the detrimentthat a pandemic could cause; however, only15 percent of respondents and their organi-zations had actually contacted the govern-ment on the issue surrounding a nationalpandemic. This signals that not only the gov-ernment, but also organizations and citizensneed to actively engage in defining and exe-cuting a pandemic preparedness plan.

As Carlson says, “It’d be wonderful ifeveryone could go home after this confer-ence and write a letter to both the Presidentand then the governor of their state, askingthem for these answers.”

The IAMC (www.takeyourmedicine.org)is currently partnering with FLAVORx Inc.to provide actionable and feasible solu-tions to encourage and ensure thatAmericans take their medicine properly.By offering a scientifically tested and specif-ically developed medicinal flavoring to com-bat the bitter taste of antiviral drugs such asTamiflu®, children and adults alike will beable to swallow liquid medications withoutstruggle. Studies show that children are high-ly susceptible to infection, with about 45percent of school-age children catchinginfluenza during an epidemic. Childrenthen, play a significant role in viral transmis-sion and spread of infection. For anextremely minimal cost, government offi-cials will be able to stockpile flavorings toguarantee near 100 percent medicinal com-pliance, thereby preventing the emergenceof resistant flu strains, persistent symptoms,harmful side effects, and even mortality as aresult of taking medication improperly.

— IAMC

SURVEY REVEALS MORE THAN HALFOF SECURITY PROFESSIONALSMANUALLY UPDATE SECURITYSETTINGS IT security professionals are spending unnec-essarily large amounts of time to manuallyupdate security setting configurations, accord-ing to a recent survey conducted by SanDiego, Calif.-based St. Bernard Software, aprovider of security solutions. The result isincreased vulnerability to known avoidableexploits.

In a recent survey of 233 IT security pro-fessionals, 52 percent of respondents saidthey still manually update security settings.The poll also found that 25 percent ofrespondents don’t have a way to managesecurity settings, leaving companies vulnera-ble to serious network threats and liabilities.Other findings from the survey revealed that48 percent of companies do not have a poli-cy in place for managing security settings.

According to the System Administration,Network and Security Institute (SANS),because of the many complex settingsrequired to administer Windows, it is highlysusceptible to security breaches. Yet the taskof successfully performing settings manage-ment typically requires hours of tedious,proactive research, through hundreds ofpages of documentation issued by Microsoft,NIST, NSA and other security experts.

With this in mind and the results from itsrecent survey, St. Bernard Software remindsorganizations that unless security settings areupdated regularly and configured properly,they are leaving their networks and machinesin jeopardy.

“Knowing that 25 percent of IT securityexperts have not specifically addressed secu-rity settings management is a great concern.Hackers and virus writers are becoming moresophisticated by the day, and companiesmust stay on top of security settings, or theyare leaving their network wide open forattack,” says Steve Yin, vice president of salesand marketing at St. Bernard Software.“Although half of the respondents are, in fact,performing this critical function, they're doingso manually, which may not be the most effi-cient or effective process.”

— St. Bernard Software


SHOW ME THE STORAGE ROI: COSTAND MANAGEMENT ISSUESCONTINUE TO CONCERN CIOS Hitachi Data Systems Corporation hasunveiled the results of a survey conductedamongst CIOs from the Asia Pacific region.

IT costs are escalating due to increasingdemands for data and information. CIOs areunder greater pressure to justify IT invest-ments based on business value rather thancost avoidance. The survey, which polled100 respondents from China, Hong Kong,Korea, Taiwan, Singapore, Malaysia,Thailand, India, Korea and Indonesia, revealsthat 64 percent of respondents said that thebest thing vendors could do to support themwas to build ROI assessments for their stor-age investments.

“Applications and the storage environ-ments that companies depend upon havebecome critical drivers of business processesand decisions that impact organizationalgrowth and profitability,” says MichaelCremen, senior vice president and generalmanager, APAC, Hitachi Data Systems. “Atthe same time, CIOs are challenged with thetask of justifying their IT investments.”

Cost and management issues continue tobe a concern amongst IT leaders withinorganizations in the region. Going into2007, 45 percent of respondents indicatedreducing storage management costs as a keychallenge they would like to address, while38 percent of respondents believe thatensuring their IT infrastructure will meetbusiness needs will continue to be an impor-tant focus for the coming year.

The following are some of the businessissues which will be of focus, and CIOs willbe trying to balance these requirementswhile managing costs:

Business continuity: Every CIO fearsthe potential loss of company data, and, as aresult, revenue in the event of an emer-gency. Ensuring all files are backed up andkept safe in a separate location is of para-mount importance, and this will be borneout in 2007 as more and more organiza-

tions put business continuity plans intoplace.

Security: Regardless of industry, a com-pany’s employee base will continue to use amultitude of applications. It is the CIO’sresponsibility to ensure the data supportingthese applications is secure but still easilyaccessible when needed. With increasinglystrict rules governing data security andpenalties for improper management, achiev-ing the balance between security and usabil-ity is going to have a place near the top ofthe priority list.

Increase in regulation: The number ofregulations companies must comply with ismultiplying, creating exponential growth inthe amount of data that needs to be stored.This is an opportunity for companies tomine and manage their most importantassets.

As companies continue to leverage tech-nology to meet business needs, gearing upthe company IT environment will continueto be of importance. According to the sur-vey, 38 percent of respondents believe thatthe convergence of technologies will havethe biggest influence over storage growth inthe next three years. In addition, 39 percentof the respondents believe that in the nextthree years, the biggest concern of CIOs willbe to manage increasingly complex IT envi-ronments with minimal resources. This isespecially true with the increase use of vari-ous technologies from different vendors, aswell as shrinking IT resources.

Within this context, 42 percent of respon-dents believe that an important factor influ-encing business success is the interoperabili-ty of technologies from different vendors,while 23 percent think that adopting a cen-tralized approach to management as well asa future proof IT infrastructure are equallyimportant factors.

This is especially crucial as the trend formergers and acquisitions among companiesacross a range of industries is likely to con-tinue in 2007. This adds complexity as CIOsintegrate the different IT infrastructures.

Using a vendor which offers common man-agement across heterogeneous storagedevices will help in this instance. It will alsoalleviate the problem of different IT skills inthe IT department which can be an inhibitorto an efficient and easy integration.

— Hitachi Data Systems Corporation

PREPARING FOR THE PANDEMIC: CMERELEASES BUSINESS PLANNINGGUIDE Canadian Manufacturers & Exporters(CME) has unveiled a planning guide forCanadian business that will help mitigate theestimated $60 billion economic impact froma pandemic outbreak.

“Canada’s business community is at risk,”says CME President and CEO Perrin Beatty.“It’s not a matter of if, but a question ofwhen the next pandemic will strike. ManyCanadian companies are not prepared andthis lack of readiness may threaten their eco-nomic viability and the delivery of criticalgoods that depend on complex supply chainsystems.”

The World Bank estimates that the cost tothe global economy of a flu pandemicwould be upwards of $800 billion.According to the U.S. Congressional BudgetOffice, the impact of a pandemic would costup to 5 percent of the gross domestic prod-uct.

Assuming Canada would be similarlyaffected and considering the reliance ontrade, Canada’s economy could suffer by asmuch as $60 billion due to a pandemic out-break – even more if the Canada-U.S. bor-der were to experience serious difficulties.

“As a nation, we can’t afford to be unpre-pared,” says Beatty. “CME’s guide equips allCanadian business with tools and informa-tion to minimize the risk that influenza pan-demic poses to the health and safety ofemployees, the continuity of business oper-ations and the bottom line.”

The 87-page guide highlights key consid-erations when coping with a pandemic,including the critical elements of a continu-

INTERNATIONAL NEWSGlobalAssurance


ity plan plus a summary checklist; a how-toguide to develop a continuity plan; medicalprecautions; and human resource considera-tions.

“A business continuity plan should be anessential element of any business strategy oroperating procedures, as we have learnedfrom SARS, 9/11 and even the ice storm,”says Beatty. “I cannot think of any reasonnot to be prepared, but 60 billion reasonswhy we should.”

CME’s Continuity Planning Guide forCanadian Business can be downloaded, freeof charge at www.manufacturingour-future.ca.

— CME

CAN YOU TRUST YOUR EMPLOYEESWHEN IT COMES TO SECURINGYOUR BUSINESS?Research compiled on behalf of TrendMicro, an IT security company, has foundthat UK computer users are more recklessin their computer behavior at work thanother countries. This especially comes as aworry for the smaller sized business, asthey’re often the ones that don’t have theconstant presence of an IT department.

This international study has shown thatUK users are more careless in their behav-ior when using an employer’s machine.More than half of the respondents (53percent) rely on IT departments to rescuethem should something bad happen.When asked why they were more riskyand carefree with their online behavior at

work than at home, 45 percent stated thatthey are not as worried because it’s nottheir computer equipment.

Pat Dunne of Trend Micro says, “Despiteall the warnings, people still make avoid-able mistakes and needlessly expose theirPCs to computer ‘nasties’ that ultimatelycause critical computers to fail. The solu-tion is rethinking how companies warnemployees about IT threats and adoptingmore automated defense systems thatentirely bypass employees who may bethe weak link.”

Illustrating how careless people can be,Trend Micro has compiled their top five ofthe most avoidable support calls: 1. Naked Anna: Hundreds of callers were

re-infecting themselves over and overagain with a virus trying to view the pic-ture of tennis star Anna Kournikovathey’d received on an e-mail. They justkept on opening the e-mail to try andget a glimpse of a saucy picture of Anna.They just wouldn’t accept that it was alla hoax.

2. IT for beginners: A customer called say-ing that the floppy drive was not work-ing. When asked for the exact problem,“Is it that it does not read them? Doesthe drive accept them at all?” After sev-eral questions the caller replied that theproblem was that the floppy disc justwould not fit in the drive. He was againasked if he could check if there wasanother disc inside, he just replied thatit wouldn’t fit in. It was then described

to him the place where he had to putthe floppy. And his amazing reply? “Thestrange thing is that the floppy is squarebut the tray has a round shape.”

3. E-mail a worldwide form of communi-cation? A man who owned his ownbusiness had called to request an engi-neer to come out. When asked why heneeded the help of an engineer, he stat-ed that he was trying to send an inter-national e-mail. It was explained to himthat he could send e-mails to an interna-tional e-mail address just as easily as hiscould to people in the UK. But he justwouldn’t believe it and insisted that theengineer was there to help him withinthe hour.

4. What’s a computer? A woman whocouldn’t access anything on her PC wasasked to restart it. She said it wentblack. When asked to turn it back onagain, she said it has come back exactlyhow she left it. After a few minutes ofscratching heads it was determined thatshe was just turning the screen on andoff. She didn’t know that there wasanother part to her computer sitting onthe ground under her desk.

5. Flirty fools: When the infamous“ILOVEYOU” e-mail virus hit, the flatteryapproach made people do the strangestthings. Even the most tech-savvy peoplewere opening this virus again and againthinking that someone had send a flirtymessage to them.

— Trend Micro Inc.

The World at Your FingertipsWant the latest breaking business continuity

news stories when it’s convenient for you?

Look no further than

www.ContingencyPlanning.com. Exclusive

Web updates are added every weekday to

ensure you don’t miss a step.

Log on today and get up to speed.

www.ContingencyPlanning.com


If the key to a successful exercise starts with organization, thenthe design must strive for expected results. The Exercise

Requirements Matrix, built and described in Part I of this series(February CPM-Global Assurance) outlined what types of exercis-es to perform, a suggested schedule for completing the exercisesthroughout the year, each of the design teams that need to beinvolved in designing an effective exercise and how to use a doc-ument template to store all the pertinent exercise information.

This article, Design for Results, will explain how to: (1) workwith a design team; (2) plan to meet exercise goals and objec-tives; and (3) create a realistic scenario.

STEP 1: UNDERSTAND THE EXERCISE TEAMThe exercise team is made up of several sub-teams and individ-uals to ensure the exercise’s success. Each exercise you conductmay have all or some of the following roles and responsibilities:

Exercise Facilitator: Someone from the business continuity pro-gram office should facilitate the exercise and should meet with thedesign team to formulate the details of the exercise, as well as invite

Taking the FearOut of BC

Exercises: ABlueprint for

SuccessPart II: Design for results

By Telva Chase

and interact with all participants prior to the exercise, if necessary.The facilitator is responsible for the pre-exercise briefing wherethe rules of engagement are outlined and all participants are givenan opportunity to ask questions and feel comfortable with theproceedings. The facilitator will observe the exercise and will notstop the exercise unless there is a major issue with how the exer-cise is going. The facilitator runs the show, answers questions, pro-gresses “time” and keeps things moving.

Exercise Assistant: The exercise assistant is critical to a smoothexercise. The best person for this position is usually an administra-tive assistant residing in the facility where you are conducting theexercise. They are responsible for reserving the room(s), ensuringappropriate audio-visuals are available, making copies of exercisedocumentation and ordering lunch, snacks and drinks. The assis-tant is also responsible for running messages between the simula-tion team and the recovery team rooms. Use your assistant in anyway that makes sense: scribing during the debriefing, passing outcue cards or messages, etc.

Recovery Team: The recovery team consists of the local inci-


dent response team or emergency response team members whohave responsibility for critical corporate areas (human resources,editorial, product management, IT, sales and marketing, legal,etc.) and have been trained in incident management, occupantemergency preparedness and have a business continuity or dis-aster recovery plan. The recovery team can be as large (groupsof 40 or more are difficult) or as small as necessary (five to sixemployees). Even for a drill, you may want to exercise the entirebuilding, or just a division or department. Always invite execu-tive and senior management teams to participate. After an exer-cise, they often become the greatest supporters of the businesscontinuity program. During the exercise they may or may nottake an active role in the response/recovery, but it reallydepends on the corporate culture and natural leaders who arepresent. The design team can always “write someone out” of theexercise, but it’s nice to have them observe, even if they aren’tparticipating. You have to determine where to draw the line forparticipation. In some companies, it is at the director level (direc-tors and above participate and only in abnormal circumstancesdo they have someone below the director-level participating).

Design Team: The design team is comprised of one staff mem-ber from each of the critical corporate areas (with a maximumof five to six participating) and will have the responsibility ofdesigning the exercise in its entirety. They will also delegate andrecruit evaluators and other members for the simulation team.The design team meets on average once a week for the fourweeks leading up to the exercise and documents all meetings inthe design document.

Simulation Team: The simulation team consists of the designteam plus any other team members they delegate and recruitduring the planning of the exercise. The simulation team roleplays or simulates any internal or external person that the recov-ery team might contact during the exercise. Because some busi-nesses span across geographical locations, it is necessary to iden-tify internal corporate resources that will participate in the exer-cise. In many cases you may want to exercise many locations atthe same time that make up the same strategic business unit.This team “drives” the scenario and releases information asplanned, to ensure that the recovery team responds to situationsappropriately. The simulation team releases information to therecovery team by delivering messages, visiting recovery teammembers, phoning in messages or playing pre-recorded TV andradio announcements.

Observation Team: The observation team is made up of two orthree observers or evaluators who can objectively observe andtake notes during the exercise. They should be very familiar withthe incident management, occupant emergency, business conti-nuity and disaster recovery plans for that specific location. Theyare also briefed prior to the exercise during an orientation whereexpected results are discussed. The observation team is given aclipboard with prepared scenario simulation times, events,

expected responses and room for making notes. If the exercisespans more than one location, a team in each location will needto be defined. The observation team provides feedback immedi-ately following the exercise during the exercise debriefing.

STEP 2: MEET WITH THE DESIGN TEAMDifferent types of exercises require different amounts of plan-ning times. Part I of this series explained suggested planningtimes. For example purposes only, the following shows how todesign an exercise that will require one month (or four weeklymeetings). It is suggested that each meeting only last one hour.

Meeting 1: Identify Goals, Objectives and ParticipantsStart the planning process with a stated goal followed by spe-

cific objectives that support that goal. In order to exercise fordesired results, you must first determine what it is you are tryingto achieve. Begin filling in your exercise document template withthe information discussed with the design team.

Examples of Goals:This exercise is to measure how personnel effectively evacuatethe building following an alarm.• The goal of this exercise is to perform a walk-through of the

“plan” and discuss possibilities for response and recovery.• The goal of this exercise is to ensure senior management know

and understand all procedures for emergency management.• The goal of this exercise is to ensure all organizations can com-

municate effectively during a time of crisis.• The goal of this exercise is to test coordinated efforts between

organizations during a response and recovery effort.

Ask the design team for viable candidates for the followingpositions: exercise assistant; recovery team; and observationteam.

Meeting 2: Begin Developing the ScenarioIn developing the scenario, think about threats, vulnerabilitiesand risks that are known as a result of performing the businessimpact analysis. Review written plans and identify areas forimprovement. Ensure that the scenario is realistic for the loca-tion, building and its occupants. Do not plan an exercise scenariothat would waste the team’s time.

Be sure to include things like date, time, weather and neces-sary background information. Do not leave anything for therecovery team to assume. The scenario and its messages thattwist and turn the exercise must provide the recovery team withenough information to proceed with decision-making andresponse/recovery activities. Start with how the recovery teamfinds out about the incident. Give them the sequence of eventsor an initial damage report or assessment. Let them know wherethey are at all times. Don’t forget to “erase” people from theexercise: Who is missing? Who is still there? Are there injuries orfatalities? Has anything been communicated prior to the scenariobeginning? Create a list of assumptions and artificialities and


document them in the exercise document.It is suggested to create a table for the scenario and a timeline

that will “drive” when and how the different segments of the sce-nario will be fed to the recovery team. Suggested column head-ings include:

Segment #: This could be a letter or numberReal Date and Time: Date of exercise and time (to progress theclock)Simulated Date and Time: This is announced before each messageMessage: The next “piece” of the scenarioDelivered How: Announced, phone call, radio, TV, in personDelivered By: Simulation team member name

Ensure at this point in time that facilities are available to use,and they have been reserved.

Meeting 3: Finalize Scenario and Initial Simulation Walk-ThroughThis will be the second session to discuss with the design teamall the details of the scenario. All participants should be identi-fied by now. The exercise goal, objectives, assumptions, artificial-ities and details about the scenario should be completed by theend of this meeting.

Go through the scenario with the design team and identify allexternal parties that the recovery team will most likely contactduring the exercise. Create a “communications directory” anddocument in the exercise document. Assign “roles” for everyoneon the communications directory and include only the cellphone numbers of those role-playing on the simulation team (noneed to include their real names).

Meeting 4: Finalize Scenario, Logistics and CommunicationsDirectoryEnsure that rooms are reserved, lunch and/or beverages are orderedand that any audio-visual materials are reserved and available.

As time nears the exercise date, some participants may notifyyou they won’t be able to attend for various reasons. If you’vewritten segments that affect them individually or you are expect-ing a certain response from them, you may need to “adjust” thescenario slightly to make things work out. Re-read the scenarioand ensure that the activities meet or exceed the objectives andthat the goal will be obtained.

Ensure that the design/simulation teams are comfortable withtheir roles and responsibilities, and ensure that cell phone num-bers listed in the communications directory are correct.

Nail down last minute issues that have arisen, if any. Walk throughthe scenario one last time with the simulation team to ensure thateverything is in place and the scenario is well understood.

STEP 3: PREPARE EXERCISE DOCUMENTATIONSeveral handouts will be needed during the exercise. TheExercise Document that has captured all of the exercise details

will be used to create most of these handouts. You cannot dis-tribute the Exercise Document as is, as it contains the entire sce-nario.

Simulation Team Handout (including full scenario and timings/mes-sages)The simulation team will need a handout to follow the scenarioclosely with a clock. They will be responsible or handing mes-sages, making “guest” appearances in the recovery room andmaking phone calls to add additional information for the recov-ery team. This document needs to have full details of the sce-nario.

Observation Team Form (including full scenario and expectedresponses)The observation team can be identical to the simulation teamhandout with one exception – it also needs to outline expectedresponses. If the observers are not entirely familiar with a planthat is being exercised you can help them by giving them a cueso they know what to look for.

Recovery Team Guidelines Create a recovery team guidelines handout that is derived fromthe following sections in the exercise document:• Location to be exercised• Date and time• Scope of exercise• Artificialities• Assumptions• Scenario (only up to the point where you wish the exercise to

begin)• Instructions to participants (rules of engagement, if you will –

set expectations!)• Communications directory

Other handouts (as necessary) include:• Name tents or name tags if the exercise is large. Also use

nametags for simulation team members role-playing someoneother than themselves.

• Cue cards – if you need to advise a recovery team member ofsomething and you don’t want everyone receiving the informa-tion, use 3x5 cards to print messages for them and hand themout at the appropriate times in the scenario.

• Messages – if you are handing messages out, or if you havingthem read out loud, it would be easier if they were printed,one message to a page that can be shared as a reference withthe recovery team.

STEP 4: HOLD PRE-EXERCISE ORIENTATIONSchedule a pre-exercise orientation meeting with the simulationteam (if needed), the observation team and the exercise assis-tant. It’s best to schedule these meeting just prior to the exercise,


or the day before for a couple of reasons. If you hand out thecomplete scenario to the observation team prior to the exercise,they may be tempted to “share” it with their co-workers involvedin the exercise. You also want the review to take place just priorso that the information is fresh in their minds.

Simulation Team Orientation • Provide the team with hard copies of the scenario and expect-

ed actions and scripts for each “role” they are playing.• Walk through the exercise and messages one last time with

everyone.• Ensure that the room reserved for the simulation team during

the exercise is adequate. Walk through the room with the sim-ulation team and answer any questions.

• Ensure that any extra materials or equipment are scheduled toarrive in time for the exercise (flip charts, projectors, etc.).

Observation Team Orientation• Provide the team with hard copies of the scenario, timing and

expected responses by the recovery team.• Explain logistics and roles and responsibilities.• They will need a checklist that provides them with expected

results for each piece of information driving the scenario.Providing them with the same document as for the simulationteam will work, as long as they understand what they are to be

observing and measuring, and explain it to the observation team.

Exercise Assistant OrientationYou may or may not want to provide the exercise assistant with adetailed scenario. Explain their role and responsibilities and provideenough information for them perform their job without having to inter-rupt the exercise. If the recovery team needs to eat a meal during theexercise, for example, ensure that the assistant knows when the foodshould arrive, by whom, and where it is to be setup. If you want theassistant to deliver messages to the recovery team throughout the exer-cise, they will need to have a copy of the timings and scenario compo-nents, the messages typed up and ready for distribution, etc.

Having done all the advance design work for the exercise, youare finally ready to conduct the exercise. Don’t miss Taking theFear Out of BC Exercises: A Blueprint for Success, Part III:Exercise with Confidence, in next month’s issue of CPM-GlobalAssurance, which will outline how to set the tone, develop guide-lines, conduct and evaluate the exercise.

About the AuthorTelva Chase has more than 27 years of software engineering andseven years of full-time BC/DR experience. In 2002 she created andcurrently is the director of the business continuity program office forThomson Scientific & Healthcare (www.thomson.com). Questions andcomments may be directed to [email protected].

GlobalAssurance

EVENTS CALENDAR 2007March 14-16: Do-It-Yourself Business

Continuity Management

Course

Singapore

www.bcpasia.com

23: Business Continuity

Management Seminar

Hong Kong, China

www.bcpasia.com

25-27: Continuous Availability

Summit 2007

Loew’s Royal Pacific Resort at

Universal Orlando; Orlando, FL

www.stratus.com/summit

25-27: European Security

Conference

Berlin, Germany

www.asisonline.org

26-28: Do-It-Yourself Business


Course

Beijing, China

www.bcpasia.com

April 22-25: Strohl Systems User

Group Conference

JW Marriott Desert Ridge Resort

& Spa; Phoenix, AZ

www.strohlsystems.com

24-25: Freedom of Information

Conference

Jurys Great Russell Street Hotel;

London, UK

www.foiconference.co.uk

25-27: Do-It-Yourself Business


Course

Manila, Philippines

www.bcpasia.com

May 22-24

CPM 2007 WEST

The Mirage; Las Vegas, NV

www.contingencyplanningexpo.com

July 8-11: World Conference on

Disaster Management

Toronto Metro Convention

Centre; Toronto, Canada

www.wcdm.com

September 12-13: Dealing with Disasters

Conference

School of Applied Sciences,

Northumbria University;

Newcastle upon Tyne, England

Graham Thompson:

[email protected]


On Sunday, Aug. 28, 2005, the day before HurricaneKatrina hit New Orleans, President George W. Bush was

briefed by Max Mayfield, director of the National HurricaneCenter, and Michael Brown, then director of the FederalEmergency Management Agency (FEMA). They warned himabout what could happen in the future. A subsequent videotapeshows the president assuring local officials that “we are fully pre-pared.”

As events demonstrated, we were not fully prepared. Yet thePresident was willing to go on record saying that we were.Politics, perhaps. Being misunderstood or misinformed? Maybe.But at least some of the people involved genuinely believed thatwe were fully prepared.

We often ask – especially after a disaster – how we can holdpeople more accountable or get rid of those incompetents whofailed to implement the plan. But maybe, to quote former IntelCEO Andy Grove, “That is not the right question.” Maybe theright question, therefore, is why did people believe we were pre-pared when we were not?

In business and government, we build plans and then we trustthem. “We are fully prepared” generally means “we have a plan,

Are We Fully?Prepared

Identifying pitfalls of business continuity planning

By Mark Chussil


we have the resources required by the plan and we have trainedour people to execute the plan.” Talented, dedicated peoplework hard to make great plans. Those plans always work … onpaper. After all, if we thought the plans wouldn’t work, wewouldn’t call them our plans.

So what goes wrong? Why do strategists write growth planswith wondrous forecasts and spreadsheets only to have theirbusinesses shrivel? They fail to anticipate or respond effectivelyto competitors’ moves, as in the slow, painful decline of theAmerican automobile industry. Why do government agencies,following their plans, buy hardware and drill emergency respon-ders, only to see citizens suffer and die in a disaster? The agen-cies fail to communicate and coordinate, as was the case withHurricane Katrina.

CONFIRMING PROBLEMS IN PLANNINGWhat goes wrong, in part, is the process of planning itself. Theprocess of planning unintentionally leads to failures to anticipate,respond, communicate and coordinate because the process ofplanning unconsciously makes us overconfident in the plans.It’s not that the process of planning is bad, and it’s emphaticallynot that the planners are bad, it’s that the process often doesn’tgo far enough.

In planning, we develop a sequence of steps to follow in agiven situation. We refine and communicate the sequence bywriting it down – in detail – and we test and teach it by rehears-ing it in drills. When we’re done, we believe we have validatedthe plan. We believe the plan, and we believe that we are pre-pared.

What we do in that process is implicitly focused on so-called“confirming evidence.” Each time we write down tasks and pro-cedures that will make the plan work – and each time therehearsal works – we feel more confident that the plan willwork.

When we believe the plan will work, we stop questioning it.As humans, we tend to seek, retain and apply facts consistentwith our beliefs. We tend to discredit or avoid information thatconflicts with our beliefs. Sometimes, we even stop listening.(When’s the last time you read a book by an author with whoseviews you expected to disagree?) Unfortunately, like the beliefthat we were fully prepared for Katrina, some sincere beliefs aresimply not true.

CALIBRATION AND FEEDBACKSocial psychologists use a concept called calibration, which refersto the match between confidence and accuracy. How it’s meas-ured is beyond the scope of this article. But suffice it to say thatweather forecasters are well-calibrated because, for example,when they say there’s a 70 percent chance of rain, 70 percent ofthe time, it rains.

We stop seeking information, studies, ideas or tests when we’reconfident we’ve got enough. When we’re accurate and we dohave enough, that means we don’t need more and it’s appropri-ate to stop. The problem occurs when we are inaccurate. High

confidence with low accuracy means we stop too soon. That’swhat happens with the plans we believe will work because theyworked on paper and in rehearsals. That probably contributed toofficials proclaiming, confidently and accurately, that we wereprepared for Hurricane Katrina.

According to Professor Scott Plous of Wesleyan University,Middletown, Conn., “The most effective way to improve calibra-tion seems to be very simple: Stop to consider reasons why yourjudgment might be wrong.” In other words, look for disconfirm-ing evidence.

Professors Jay Russo of Cornell University, Ithaca, N.Y., andPaul Schoemaker of the University of Pennsylvania, Philadelphia,say we can improve calibration by providing timely, accuratefeedback. Learning from timely, accurate feedback gives weath-er forecasters an “enviable record of reliability.”

How can we provide timely, accurate feedback for those wehave entrusted with safeguarding our communities and indus-tries? How can we encourage them to search for disconfirmingevidence? How can we help them work around the shortcom-ings of the planning process?

FAIL SAFETYIn an introductory psychology course in college, we joked abouta concept called “one-trial learning.” In one-trial learning, youimagine a rat being placed at the base of a T-shaped maze. If therat runs one way when it gets to a T intersection, it gets a pieceof delicious cheese. If it turns the other way, it gets a fatal elec-tric shock. The rats that make the right choice learn in just onetry.

Of course, there’s no real learning. It’s luck, jazzed up withimaginary academic sadism. But in concept, it’s not so differentfrom on-the-job training.

In real life, we don’t want to risk one-trial learning. Taking thewrong turn in a real-life T-shaped maze means real people gethurt. What we want is the opportunity to fail – and learn –where it’s safe. In effect, we want many-trial learning in whichwe replace the cheese and the fatal electric shock with timely,accurate feedback. The feedback, especially from failures, pro-vides disconfirming evidence and the opportunity to discoverand repair flaws in plans before they do us any real harm.

Make it safe to disagree. People sometimes feel reluctant tocontribute disconfirming evidence or dissenting opinions, partic-ularly in politically charged decisions. It’s critical, though, to drawthem out. So, do things differently. Close the doors. Allowanonymous feedback. Reward the contributions, even if they’reuncomfortable. Let people role-play.

Change how ideas are presented to decision makers. A.G.Lafley, CEO of Procter & Gamble, “always asks managers to givehim two different approaches and present the pros and cons ofeach” before he makes a decision. Ask for reasons why it willwork and reasons why it won’t.

Look outside your agency or industry. Think differently byputting on someone else’s hat. Imagine, for instance, what RudyGiuliani, Steve Jobs, Sir Winston Churchill, General George


Call For Papers Open!

Do you have what it takes to be part of the CPM 2007 EAST conference faculty?

We are looking for professionals in business continu-ity/COOP, emergency management and security to

deliver advanced-level lectures, case studies and inter-active workshops geared toward experienced plan-ners. CPM 2007 EAST will take place November 13-15 at the Gaylord Palms Resort in Orlando.

www.ContingencyPlanning.com/events/east


Patton or Steven Spielberg would do with the challenges youface. Look for insight to industries, such as software and micro-processor engineering: They do rigorous code reviews and suc-ceed at making the most complex stuff in history work.

Ask strange questions. What would it take to improve per-formance not 10 percent but tenfold? What could we do thatwould make customers or citizens happy even if it costs moremoney? What has to happen for our plan to work (e.g., the elec-tricity stays on, we have police protection, there’s enough gaso-line), and what would we do if one or more didn’t happen?

Keep asking “what if?” Asking “what if?” reveals the chaos, sur-prises and uncertainty you’ll face in a real crisis. What if criticalpeople aren’t on the scene? What if you have to carry out theplan in the middle of the night or during a snowstorm with thepower out? What if senior leaders aren’t able to communicate?

Conduct simulations. By their very nature, simulations providetimely feedback and disconfirming evidence. They make it verydifficult to succeed simply because you want to succeed orbecause you believe your plan will work. You’ve got to takeaction, coordinated with others on your team and within thebounds of available resources. Good simulations stimulate high-impact, out-of-the-box, we’ve-got-to-do-something thinkingwhile there’s still time. Moreover, you can repeat the simulationswith different people or with different settings to get many-triallearning. This is the path to before-the-job training.

You wouldn’t certify an aircraft as airworthy just because it

flies smoothly in a wind-tunnel rehearsal or in a clear-skies drill.You also want to demonstrate that it will fly safely in a badstorm or when an engine fails. Stress-testing your plans helpsyou make them crisis-worthy. Then you can say confidently,and accurately, that you are prepared.

About the AuthorMark Chussil is a founder and senior director of Crisis SimulationsInternational (CSI) LLC and is a founder and CEO of AdvancedCompetitive Strategies Inc. (ACS). He designed CSI’s DXMATMcrisis simulator (patent pending) and ACS’ award-winningValueWar® business simulator. Questions and comments may bedirected to [email protected].

References1. The Wall Street Journal, March 3, 2006.2. “The Education of Andy Grove,” Richard S. Tedlow, historian at

the Harvard Business School, Fortune, Dec. 12, 2005. 3. The Psychology of Judgment and Decision Making, Scott Plous,

McGraw Hill, 1993, page 228. 4. See Decision Traps, J. Edward Russo and Paul J.H.

Schoemaker, Simon & Schuster, 1989, pages 98-102.5. National Public Radio, Jan. 6, 2006.6. “Rewarding Competitors Over Collaborators No Longer

Makes Sense,” Carol Hymowitz, The Wall Street Journal, Feb.13, 2006, page B1.


GlobalAssurance

PRODUCTSINFORMATION SECURITY E-MAILSOFTWARELos Angeles-based SearchInform Technolo-gies Inc.’s newly released MailSniffer pro-vides information security and prevents theleakage of confidential information.SearchInform MailSniffer RC intercepts all e-mail traffic on the network protocol level,indexes the intercepted messages andenables the user to conduct search throughthem with access to all sent and/or receivedmessages on a given computer. Users canconduct quick quality full-text search withdue consideration to stemming, thesaurusand word location in a phrase. The search isconducted through all incoming and outgo-ing correspondence not only in the body ofthe letter, but also in its attributes and even inthe contents of attached files. All interceptedinformation gets indexed and stored into thedatabase, so that even if a message is deletedfrom the mail client, its contents will still beavailable for search. When viewing the histo-ry of correspondence between two people,MailSniffer displays it in a chronologicalorder for the user’s convenience. Featuresinclude previewing correspondence historywith one recipient; full text search in mes-sages and attached files with due considera-tion to stemming; control over employees’correspondence; and user access rights differ-entiation.

www.searchinform.com

INTELLIGENT STORAGE ROUTER FORBC, DR APPLICATIONSQLogic Corp., Aliso Viejo, Calif., a providerof fibre channel host bus adapters, stack-able switches and blade server switches, hasannounced that information managementand storage provider EMC Corporation,Hopkinton, Mass., will expand its resale ofQLogic® Network Platform products toinclude the new QLogic SANbox® 6142intelligent storage router, now availablethrough the EMC® Select Program. Inaddition, selected QLogic host busadapters and switches are also offeredthrough the program. The SANbox 6142,

qualified as EMC E-LabTM Tested withEMC CLARiiON® networked storage sys-tems, features SmartWrite wide area net-work optimization technology for businesscontinuity and disaster recovery solutionsrequiring remote mirroring of data. The6142 features SmartWrite, the QLogicpatent-pending technology for acceleratingand bridging SANs over WANs and pro-vides SAN-over-WAN connection infra-structure for EMC MirrorView and EMCSANCopy to support disaster recovery,replication and volume copy services overWANs. Using SmartWrite’s Layer III (SCSIlayer) routing, the SANbox 6142 is able toperform SAN bridging over WANs withouthaving to merge SAN Fabrics. SnartWriteeliminates double addressing of SANdevices required by iFCP; eliminates theneed to have unique names on each SAN;and leverages the WAN resources forresiliency and encryption.

www.qlogic.com

DISASTER RECOVERY SERVICES FORGOVERNMENT AGENCIESBasking Ridge, N.J.-based Verizon Business’Voice Continuity disaster recovery service isnow available to federal customers under theU.S. General Services Administration’sWashington Interagency TelecommunicationsSystem (WITS) 2001 contract for federalagencies within the Washington, D.C., metro-politan area. The services have been availablesince 2005 to other federal government usersto purchase from the GSA’s FederalTelecommunications Service (FTS) 2001 con-tract and are available to state governmentcustomers. These services, offered in conjunc-tion with TeleContinuity Inc., Rockville, Md.,help federal and state government agenciesmeet continuity of operations planningrequirements. In the event of an equipmentfailure, natural disaster or building evacuation,the voice continuity option provides the capa-bility to reroute calls to maintain telephoneservice to virtually any location and device,including wired or wireless phones, desktopor mobile computers and personal digital

assistants. Verizon Business identifies potentialrisks and exposures, including router or hard-ware failures, cable cuts, power and net-work outages, natural disasters and acts ofterrorism; provides an analysis of costs andbenefits of potential mitigation measures;and tests the solution. The technology linksthe public switched telephone networkwith the Internet to create a seamless sys-tem for voice disaster recovery. Users acti-vate the voice continuity service when theyanticipate or are experiencing an outage.Upon activation, users can choose thedevice and location where calls will bererouted.

www.verizonbusiness.com

DISASTER RECOVERY, FAULT-TOLERANT SOLUTION FOR SMALLFACILITIESDataprobe, Allendale, N.J., a manufacturerof technology solutions for networking sys-tems management, has released the K-3Series, a new line of redundancy switchesthat provides up to three A/B switches in a1U rack-mount chassis. It is optimized forremote sites and distributed systems thatwant to construct high-availability, fault-tol-erant communications. K-3 provides physi-cal layer switchover of communications cir-cuits for line protection and equipmentredundancy applications. Small remotesites provide mission-critical operations andhave the same availability requirements asdata centers. The new K-3 is a redundantswitching system designed to address thesechallenges by ensuring maximum uptimefor critical communication circuits. Itincludes automatic and remote controlcapabilities. Users can control up to threeA/B switches in either independent or gangswitch arrangement. The K-3 can be con-trolled via Web, Telnet, SNMP, etc., makingthe system accessible from any networklocation while the chassis provides for oneinternal A/C or D/C power supply, withthe option for dual redundant power in anexternal supply.

www.dataprobe.com

CPM delivers a training experience unlike any other.

Learn to defuse any disaster that rears its ugly head.

Sessions include:

• Pandemic Influenza: The State of the Threat

• Establishing Mission-Critical Employee Programs

• Data Security in a Distributed World

• Disaster Simulation Exercise

And many more!

Register Now!

www.ContingencyPlanningExpo.com

Documents

2007 03 Global Assurance Magazine