Dear DR Dan,
I'm curious... are you a doctor of philosophy or of medicine?
Denise From Down Under
Hi Denise,
Neither. I'm a doctor of disaster recovery, which should be documented as "DR DR Dan."
Seriously, I have over 20 years of experience in dealing with disaster recovery (DR), so I metaphorically call myself "DR Dan." "Dr. Phil" was already taken.
Thanks for your question.
DR Dan
Tuesday, June 16, 2009
Katrina and FEMA
Dr. Dan,
(btw, what is your degree in?)
In your considered opinion, was not the New Orleans “disaster response” by the Federal and State governments shameful at best? What went wrong or should I ask what didn’t go wrong? How can we know if our home, our city, our nation is ever truly prepared for something REALLY big?
Lefty
Hello Lefty,
Thanks for your questions.
(btw, what is your degree in?)
In your considered opinion, was not the New Orleans “disaster response” by the Federal and State governments shameful at best? What went wrong or should I ask what didn’t go wrong? How can we know if our home, our city, our nation is ever truly prepared for something REALLY big?
Lefty
Hello Lefty,
Thanks for your questions.
- (btw, what is your degree in?)
I have multiple degrees: computer science, writing, and a masters degree from the Universal School of A&E (that's age and experience). - Was not the New Orleans “disaster response” by the Federal and State governments shameful at best?
It WAS shameful. People died unnecessarily. Thousands were left homeless. But remember that America is a "for-profit state." The Federal and State Gov's response to Katrina is what it was. That being said, the disaster - whatever it is - begins in your neighborhood. Those in the epicenter must act as as if they are on an island; you must become self-sufficient. Next, the city / community will help out. Then, if possible, the county will render aid. Then the state. And finally the Fed. Please note also that FEMA - that agency which took so much heat - is NOT a responding agency. It exists simply to organize resources. It's emergency "management," not emergency response. - What went wrong or should I ask what didn’t go wrong?
There's no doubt that a lot went wrong. Beginning in 1718 with the French building a settlement on a patch of land not much higher than sea level. This idiocy is quite analogous to building (and re-building and re-building) on a hurricane-prone coast-line or earthquake fault-line or in a floodplain. While humans continue to ignore common sense, Katrina-like events and ineffective response will continue to happen. - How can we know if our home, our city, our nation is ever truly prepared for something REALLY big?
REALLY big is a REALLY relative term, my friend. REALLY big to me means M-1762 - an asteroid the size of Texas - hits the third rock from the Sun. In that case, my response protocol is simple: be penitent of my sins and drink heavily. My father's generation worried about nuclear Armageddon. My grandfather worried about the Great Depression. His father before him worried about Polio. Every generation has its own worries. Get the picture?
Unfortunately, you can't know if you're REALLY safe. What you can do is prepare yourself and your loved ones. The fact of the matter is that - as I mentioned in my 2nd answer above - you have to think of yourself (and your family) as an island. Sad as it is, no one will look out for you more than you will.
So, YOU need to develop (and implement) your own emergency response and recovery plan. It's pretty simple. Go to ready.gov for guidance and help.
Thanks for your questions. I hope this helps.
DR Dan
In the words of Jack Torrance, "I'm Home."
If you don't know Jack Torrance, then you've missed a great Stephen King / Stanley Kubrick flick, "The Shining."
So - like Jack - I'm "home." I've been on vacation since last week. When I'm on vacation, the only technologies I use are my SUV, an occasional greasy diner, and beer opener. No cell phones. No GPS. No laptops. Unless there's an emergency, of course.
To those of you who have submitted questions during my absence: Thank you. In the immortal words of one of my favorite technologies, the auto-answering service, "your call will be taken in the order it was received."
So - like Jack - I'm "home." I've been on vacation since last week. When I'm on vacation, the only technologies I use are my SUV, an occasional greasy diner, and beer opener. No cell phones. No GPS. No laptops. Unless there's an emergency, of course.
To those of you who have submitted questions during my absence: Thank you. In the immortal words of one of my favorite technologies, the auto-answering service, "your call will be taken in the order it was received."
DR Dan
Thursday, June 11, 2009
Blog Rules
Our blogging rules are simple:
- First and foremost, don’t submit information that is considered proprietary, copyrighted, law enforcement sensitive, classified, or otherwise protected. That could get us both in trouble.
- Don’t submit anything that could be considered offensive or slanderous. In other words, don’t write anything you wouldn’t want your hometown paper to print with your byline.
- Keep your posts objective and factual. We’re not interested in hearsay, religious beliefs, or political alignment.
- All submissions are reviewed for compliance with these blogging rules. When necessary, submissions will be edited, but the general essence of your message will be left intact. In other words, we're just looking for spelling errors and typos. This'll make you look good.
This site is designed to help all of us prepare for the worst. If you have information that can help, please take a minute or two to share your knowledge.
Approved submissions are usually posted within 24 hours. We look forward to your participation!
Thank you!
DR Dan
Wednesday, June 10, 2009
Championing the BC Cause
Dr. Dan,
For those launching a continuity program, do you have some tips on how to champion the concept with management?
Cate in OKC
Hi Cate,
Wow! That's one of those million-dollar questions that has plagued BC professionals for centuries, perhaps eons.
Seriously, management (in the private sector) usually has one priority: profitability. Every goal, every performance review, and every task are tied to the bottom line. It makes sense. That's what baseball, apple pie, and capitalism are all about.
So, you gotta hit 'em where they live. Consider these issues:
For those launching a continuity program, do you have some tips on how to champion the concept with management?
Cate in OKC
Hi Cate,
Wow! That's one of those million-dollar questions that has plagued BC professionals for centuries, perhaps eons.
Seriously, management (in the private sector) usually has one priority: profitability. Every goal, every performance review, and every task are tied to the bottom line. It makes sense. That's what baseball, apple pie, and capitalism are all about.
So, you gotta hit 'em where they live. Consider these issues:
- Is there a prevailing issue that may persuade them to be more agreeable to a program, such as a recent disaster, negative audit report, or concerned investor?
- Is there an advantage to be derived from stakeholders, such as board members, investors, customers, et al., that a BC program would offer?
- Are there influences in the industry that make having a business continuity program more prudent and beneficial?
- Are there new laws that require a business continuity program?
- Does there exist areas that are vulnerable to lawsuit, such as safety, product, or consumer liability?
Some management will realize that business continuity is a program and not a project.
Hope this helps.
DR Dan
Tuesday, June 9, 2009
BCP vs. COOP
DR Dan,
What would you say are the primary differences and similarities between Business Continuity (engaged in by businesses, companies or corporations) and Continuity of Operations (engaged in by Federal Agencies and now, more and more so, State Agencies)?
Jon
Thanks, Jon. This question points to a bigger issue: "Will private-enterprise business continuity plans (BCPs) and public agency continuity of operations (COOP) plans work together during a wide-scale disaster?" That'll be tomorrow's topic.
Back to your question. BCPs and COOPs are quite similar in that they are created to help the organization - private or public - recover from a disaster. Get back to "business as usual" as quickly as possible.
There are a couple of differences between BCP and a COOP plan. A BCP has a true "profit perspective." It's primary purpose is to recover profit centers and critical operations with the utmost urgency. A for-profit entity usually has very short recovery time objectives (RTOs). The COOP plan certainly intends to recover services to its constituents - the public - quickly, but the urgency may not be as high as in the business world. In short, if the business doesn't recover quickly enough, it may go bankrupt. Government will march on regardless. Theoretically.
Second, the COOP plan must consider and resolve any red-tape conflicting with recovery goals. This conflict could arise from miss-aligned priorities or policies. This issue especially comes into play when developing a community-wide COOP plan where multiple agencies at city, county, and state levels are involved.
In the private sector, bureaucracy is less prominent. If something gets in the way, it's a lot simpler and usually quicker for the CEO to fix it on the spot. Of course, a business must cooperate with outside entities such as first responders and enforcement agencies, but the lines of authority are more clearly drawn.
The bottom line is that BCPs and COOP plans have the same basic goal. Creating them also follows a similar path. Each has its own little gotchas, but these can be overcome.
Hope this helps,
What would you say are the primary differences and similarities between Business Continuity (engaged in by businesses, companies or corporations) and Continuity of Operations (engaged in by Federal Agencies and now, more and more so, State Agencies)?
Jon
Thanks, Jon. This question points to a bigger issue: "Will private-enterprise business continuity plans (BCPs) and public agency continuity of operations (COOP) plans work together during a wide-scale disaster?" That'll be tomorrow's topic.
Back to your question. BCPs and COOPs are quite similar in that they are created to help the organization - private or public - recover from a disaster. Get back to "business as usual" as quickly as possible.
There are a couple of differences between BCP and a COOP plan. A BCP has a true "profit perspective." It's primary purpose is to recover profit centers and critical operations with the utmost urgency. A for-profit entity usually has very short recovery time objectives (RTOs). The COOP plan certainly intends to recover services to its constituents - the public - quickly, but the urgency may not be as high as in the business world. In short, if the business doesn't recover quickly enough, it may go bankrupt. Government will march on regardless. Theoretically.
Second, the COOP plan must consider and resolve any red-tape conflicting with recovery goals. This conflict could arise from miss-aligned priorities or policies. This issue especially comes into play when developing a community-wide COOP plan where multiple agencies at city, county, and state levels are involved.
In the private sector, bureaucracy is less prominent. If something gets in the way, it's a lot simpler and usually quicker for the CEO to fix it on the spot. Of course, a business must cooperate with outside entities such as first responders and enforcement agencies, but the lines of authority are more clearly drawn.
The bottom line is that BCPs and COOP plans have the same basic goal. Creating them also follows a similar path. Each has its own little gotchas, but these can be overcome.
Hope this helps,
DR Dan
Monday, June 8, 2009
Cold Vs. Warm Vs. Hot
Dear DR Dan,
What’s the difference between a cold site, warm site, and hot site?
Newbie in New York
Hi Newbie,
That's a good question. Here's the short answer: A cold site is not much more than an empty warehouse where you store your '57 Chevy. A warm site is a warehouse with power, phone, raised floor, "empty" servers, and air conditioning, but, alas, no OS or data. A hot site is a true duplicate of your datacenter where you can recover in minutes, if not seconds.
The "warmer" you go, the more expensive it is.
Hope this helps.
DR Dan
What’s the difference between a cold site, warm site, and hot site?
Newbie in New York
Hi Newbie,
That's a good question. Here's the short answer: A cold site is not much more than an empty warehouse where you store your '57 Chevy. A warm site is a warehouse with power, phone, raised floor, "empty" servers, and air conditioning, but, alas, no OS or data. A hot site is a true duplicate of your datacenter where you can recover in minutes, if not seconds.
The "warmer" you go, the more expensive it is.
Hope this helps.
DR Dan
Car Trunks and Other Treasure Chests
Dear DR Dan,
What sort of disaster recovery plans and critical electronic files should an Accounts Receivable manager have in his car or at home? Isn't there a conflict with what the Corporate Security director believes should be taken out of the building?
Signed,
Paranoid in Accounting Dept.
Hi Paranoid,
The short answer is that you should have a copy of the DRP section that involves your department at your home and (encrypted) on your PDA, but not in your car. Same for your second and third in command. Just in case you and your second fails the "bus test."
Your car is not a good data haven because it's vulnerable to a) theft, b) accidents, and c) tornados. In other words, events that are outside of your control.
Certainly A/R files are important and should be backed up at a secure site, without dependency upon you to carry them home. The fact that your Corporate Security Director isn't happy points to a more fundamental question of authority and responsibility.
Hope this helps.
DR Dan
What sort of disaster recovery plans and critical electronic files should an Accounts Receivable manager have in his car or at home? Isn't there a conflict with what the Corporate Security director believes should be taken out of the building?
Signed,
Paranoid in Accounting Dept.
Hi Paranoid,
The short answer is that you should have a copy of the DRP section that involves your department at your home and (encrypted) on your PDA, but not in your car. Same for your second and third in command. Just in case you and your second fails the "bus test."
Your car is not a good data haven because it's vulnerable to a) theft, b) accidents, and c) tornados. In other words, events that are outside of your control.
Certainly A/R files are important and should be backed up at a secure site, without dependency upon you to carry them home. The fact that your Corporate Security Director isn't happy points to a more fundamental question of authority and responsibility.
Hope this helps.
DR Dan
Cookie-Cutter Disaster Plans
Dear DR Dan,
Most cookie-cutter disaster plan outlines and presentations focus on tornados, floods, and other major events. My experience is that at least half of the "floods" I've had to deal with were from pipes within the building. Several of the power outages that shut the offices down were electrical problems within the building. Another example was not the classic nearby train tank car derailment, but smoke from a fire across the street that forced our building to be evacuated. Could you share some of these non-cookbook problems that you've seen? How is the preparation for these different from plans for the "big one?"
Lucien Jones. Oklahoma City
Hi Lucien,
As you obviously realize, the problem with cookie-cutter plans is there's no such thing as a cookie-cutter disaster. To your first question, the "non-cookbook" problems we've seen range from the drunk driver who takes out the main power transformer to the janitor who accidently disconnects the primary call center server. My point is that we've seen more unconventional disasters than traditional events you hear about on the 5 o'clock news.
My answer to your second question is simple, but not easy. Your disaster preparation is only as effective as your risk assessment (RA) and business impact analysis (BIA). You must know your vulnerabilities and threats (RA) and their impact (BIA) in order to plan accordingly. Oh yeah, the plan for your company or agency is unque because it has unique risks, based upon geographic location, industry, and your neighbors. "Neighbors" include hazmat caches, transportation routes, potential meth labs, and high-value targets, to name a few.
An effective RA will identify EVERYTHING that can impact your organization, from a nano-second power outage to a smoking hole scenario. That includes risks in 4 realms: physical, technology, personnel, and process.
Following completion of the RA, your BIA prioritizes those risks based on their impact in 3 areas: financial, physical, and psychological. This process helps you identify those risks you should be most concerned about.
Hope this helps...
DR Dan
Most cookie-cutter disaster plan outlines and presentations focus on tornados, floods, and other major events. My experience is that at least half of the "floods" I've had to deal with were from pipes within the building. Several of the power outages that shut the offices down were electrical problems within the building. Another example was not the classic nearby train tank car derailment, but smoke from a fire across the street that forced our building to be evacuated. Could you share some of these non-cookbook problems that you've seen? How is the preparation for these different from plans for the "big one?"
Lucien Jones. Oklahoma City
Hi Lucien,
As you obviously realize, the problem with cookie-cutter plans is there's no such thing as a cookie-cutter disaster. To your first question, the "non-cookbook" problems we've seen range from the drunk driver who takes out the main power transformer to the janitor who accidently disconnects the primary call center server. My point is that we've seen more unconventional disasters than traditional events you hear about on the 5 o'clock news.
My answer to your second question is simple, but not easy. Your disaster preparation is only as effective as your risk assessment (RA) and business impact analysis (BIA). You must know your vulnerabilities and threats (RA) and their impact (BIA) in order to plan accordingly. Oh yeah, the plan for your company or agency is unque because it has unique risks, based upon geographic location, industry, and your neighbors. "Neighbors" include hazmat caches, transportation routes, potential meth labs, and high-value targets, to name a few.
An effective RA will identify EVERYTHING that can impact your organization, from a nano-second power outage to a smoking hole scenario. That includes risks in 4 realms: physical, technology, personnel, and process.
Following completion of the RA, your BIA prioritizes those risks based on their impact in 3 areas: financial, physical, and psychological. This process helps you identify those risks you should be most concerned about.
Hope this helps...
DR Dan
Friday, June 5, 2009
Aspirin Give Headaches To Responders
Have you heard about Bayer recently mailing up to 178,000 aspirin samples to homes everywhere? What you may not know is that 35,00 of those samples are of their new "Quick Release Crystals."
Yep, 35,000 samples of white powder in the mail. What was undoubtedly designed as a creative, innocuous promotion will most certainly create headaches for the responder community, including law enforcement, hazmat units, poison control centers, hospital ERs, and the CDC. And, of course, all sorts of alarms will be going off at the Post Office.
This is a fine example of what I call an accidental, human-caused disaster. Consider the costs for all the agencies called to respond to panic-stricken consumers who think they've been exposed to anthrax spores. Not to mention the emotional trauma of those who accidently dump the contents on their kitchen countertop.
Obviously, Bayer didn't think about this side effect.
Thanks for stopping by.
Yep, 35,000 samples of white powder in the mail. What was undoubtedly designed as a creative, innocuous promotion will most certainly create headaches for the responder community, including law enforcement, hazmat units, poison control centers, hospital ERs, and the CDC. And, of course, all sorts of alarms will be going off at the Post Office.
This is a fine example of what I call an accidental, human-caused disaster. Consider the costs for all the agencies called to respond to panic-stricken consumers who think they've been exposed to anthrax spores. Not to mention the emotional trauma of those who accidently dump the contents on their kitchen countertop.
Obviously, Bayer didn't think about this side effect.
Thanks for stopping by.
Subscribe to:
Comments (Atom)
