Business Continuity and Disaster Recovery - Business Technology...
The Keys to Executing a Business Transformation
K12 Enterprise: Business Continuity and Disaster Recovery Planning
The Basics of Business Continuity and Disaster Recovery Planning:...
Business Continuity Practices in the age of Information
Mark Eggleston, CISSP, GSEC, CHPS, Vice President, Chief Information Security and Privacy Officer, Health Partners Plans
Thank you for Subscribing to CIO Applications Weekly Brief
Building Relationships - Establishing Contingencies before a Disaster
By Julia Halsne, Business Continuity Manager, EBMUD
In 2002 we had the Bioterrorism Act after 9/11. This required water utilities to conduct vulnerability assessments and develop emergency response plans with deadlines for benchmarks set in 2020 and 2021. But it was a one-time only measure with no specification on how often they had to be updated. This is very ambiguous, and it includes a lot of different requirements. It addresses cybersecurity, physical security, natural hazards, and all kinds of different components that wastewater agencies are now looking in to. It's not a requirement for wastewater agencies at this point, but eventually, it will be. A lot of agencies are trying to address this challenge and respond to avoid non compliance fines.
Later in October 2018, the Congress approved a Senate bill called ‘America’s Water Infrastructure Act of 2018,’ and it was signed into law. This bill specifies that the water systems have to complete and update Risk and Resilience assessments and emergency response plans every five years and then provide a certification to the EPA. This was a new development in this sector.
Could you shed some light on the trends that are shaping the Business Continuity space?
Y2K bug problem was one of the big pushes that made Business Continuity not just relegated to I.T. but a part of the business process. And it seems to be more integrated with other operations including emergency preparedness and disaster recovery. As far as the discipline goes, it's a broad brush of people who used to organically evolve within the agency and now are actual positions with training and certification requirements. In some instances, people are getting degrees in business continuity, which weren't available 15 years ago. So for those people who have been in the industry for a long time they've got it through the school of hard knocks and not necessarily have a degree in business continuity or disaster recovery. On the other hand, some industry agencies would provide these certifications in those disciplines but not necessarily a degree.
What is your recommended approach to identifying the right partnership providers from the lot?
When we first got an emergency communication system, there weren’t too many contractors available in the market. Today there are dozens of them with different capabilities. They also connect with people who provide software solutions for business continuity and disaster recovery. So for those agencies that can't afford to have a full-time person dedicated to specific tasks or key projects, they can outsource. But as big as the industry is, it’s also very small. People know each other, build relationships, and get to know who the best providers are, given their network and business focus.
Build a relationship before a disaster or a business interruption happens so you know whom to contact and can have well-defined expectations for recovery
Work with your industry peers to get firsthand information and references about providers and performance. Often you get the best unfiltered information from your peers so you can make a better, more educated decision.
What are the strategic points that you go by to stear the company forward?
In my organization, the senior management team supports business continuity very well. They support it financially as well as include in the agency’s strategic plan, which promotes accountability at all levels. We report enterprise readiness to our Board of Directors regularly, and the board supports it from the general manager down through the staff level. It is in people’s performance plans. This gives credibility and priority to what I do. Initially, I started in a completely different discipline and later landed in this space as a part of an internal leadership development, but I think this plays to my strength. I manage the breadth of people at all levels of the organization, from those who conduct operational and business functions to those who dig ditches, and put in pipes, to accountants and lawyers. It’s about having that ability to work with them and meet them where they are, supporting and facilitating them, so they can be successful and get recognized for the good work that they do.
This strength will enable you to be successful in building relationships. Oftentimes when you're at the staff asking them to do something that is not their full-time job, they are overwhelmed by it, or they have too much on their plate. So trying to find the value in it for them is the approach that I prefer.
What holds for the future of the Business Continuity space?
A lot of social media companies and tech companies don't have a full-time person to manage an operation for business continuity or emergency preparedness. They're drawing on resources who are smart and capable but they also have a full-time job, and it's difficult for them to balance both. It also makes it difficult for the practitioner to be competent because they have so many tasks on their plate and they're juggling priorities. That makes it difficult for new practitioners to get the time and experience to network.
On the contrary, in the old days, we would have industry conferences, and people would meet and build a network. But millennials don't prefer to go to conferences. They're looking for connections through social media, webinars and different platforms that are more electronic/virtual rather than being physically present. So conferences that used to draw thousands of people now have lower attendance. Industry professionals hardly get to participate in such events due to workload and travel issues. Thus, rather than getting information directly out of people they'll Google it. Sometimes that's successful, and sometimes it's not. It can be isolating, as well. This is what I've seen in the last few years: lunchtime meetings have been replaced by webinars or recorded podcasts. A person can do it from where they are and don't have to travel to get information and, most importantly, can listen to the recording later.
What would be the single piece of advice that you could impart to a fellow or aspiring professional in your field?
Building relationships both internally and externally will help you succeed. If I'm struggling with a problem, I can call my peer group and know if they have dealt with the similar kind of problem and learn how they solved it. It’s about building those relationships with your fellow workers and industry colleagues. Ensure you understand your company and clients’ drivers and priorities and supporting them in the best way possible to meet your goals and metrics.
This way you have a relationship ahead of time before a disaster or business is interrupted. You know whom to contact, and you’ve set expectations for recovery. I think that's one of the biggest issues that people have. They wait until the event happens and then they're scrambling to get information or to coordinate and to deal with that at a crucial time. The bottom line is it's much better if you build relationships ahead of time and practice recovery. Moving forward, understand what your critical facilities, operations, business functions and needs are, and your network can support you set realistic expectations for support.