Beruflich Dokumente
Kultur Dokumente
Notes
Structure:
4.1 Types of Disasters
4.1.1 Disaster Prevention
4.2 Disaster Management and Mitigation Strategies
4.2.1 Disaster Preparedness
4.2.2 Action Planning Checklist
4.3 Understanding Disaster Recovery
4.3.1 Classification of Disasters
4.3.2 Importance of Disaster Recovery Planning
4.3.3 Control Measures
4.3.4 Strategies
4.4 Business Continuity Management
4.4.1 Disaster Recovery and Business Continuity Auditing
4.4.2 Metrics
4.4.3 Mission Statement
4.4.4 The DR Committee and Auditor
4.4.5 Documentation
4.4.6 Strategies
4.4.7 Other Considerations
4.4.8 Planning
4.4.9 Media Management
4.4.10 BCP vs. DRP
4.4.11 Business Continuity Plan (BCP)
4.4.12 Disaster Recovery Plan (DRP)
4.5 Business Continuity Plan Ten Steps
4.5.1 Ten Steps to an Effective Business Continuity Plan
4.6 Summary
4.7 Check Your Progress
4.8 Questions and Exercises
4.9 Key Terms
4.10 Check Your Progress: Answers
4.11 Case Study
4.12 Further Readings
Objectives
After studying this unit, you should be able to understand:
Ɣ Disaster Management
Ɣ Disaster Recovery and business continuity
Notes Ɣ Encryption
Ɣ BCP
Ɣ A case study based on this unit
Disaster
Disaster is a sudden, calamitous event bringing great damage, loss, destruction and
devastation to life and property. WHO defines Disaster as “any occurrence, that causes
damage, ecological disruption, loss of human life, deterioration of health and health
services, on a scale sufficient to warrant an extraordinary response from outside the
affected community or area”.
The damage caused by disasters is immeasurable and varies with the geographical
location, climate and the type of the earth surface/degree of vulnerability. This influences
the mental, socio-economic, political and cultural state of the affected area. Generally,
disaster has the following effects in the concerned areas:
1. It completely disrupts the normal day-to-day life.
2. It negatively influences the emergency systems.
3. Normal needs and processes like flood, shelter, health, etc. are affected and
deteriorate depending on the intensity and severity of the disaster.
4. It may also be termed as “a serious disruption of the functioning of society,
causing widespread human, material or environmental losses which exceed
the ability of the affected society to cope using its own resources”.
Disaster Management
The United Nations defines a disaster as a serious disruption of the functioning of a
community or a society. Disasters involve widespread human, material, economic or
environmental impacts, which exceed the ability of the affected community or society to
cope using its own resources.
The Red Cross and Red Crescent Societies define disaster management as the
organization and management of resources and responsibilities for dealing with all
humanitarian aspects of emergencies, in particular preparedness, response and
recovery in order to lessen the impact of disasters.
Disaster Preparedness
These activities are designed to minimize loss of life and damage – for example by
removing people and property from a threatened location and by facilitating timely and
effective rescue, relief and rehabilitation. Preparedness is the main way of reducing the
impact of disasters. Community-based preparedness and management should be a high
priority in physical therapy practice management.
Disaster Relief
This is a coordinated multi-agency response to reduce the impact of a disaster and
its long-term results. Relief activities include rescue, relocation, providing food and water,
preventing disease and disability, repairing vital services such as telecommunications
and transport, providing temporary shelter and emergency health care.
Disaster Recovery
Once emergency needs have been met and the initial crisis is over, the people
affected and the communities that support them are still vulnerable. Recovery activities
include rebuilding infrastructure, health care and rehabilitation. These should blend with
development activities, such as building human resources for health and developing
policies and practices to avoid similar situations in future.
Disaster management is linked with sustainable development, particularly in relation
to vulnerable people such as those with disabilities, elderly people, children and other
marginalized groups. Health Volunteers Overseas Publications address some of the
common misunderstandings about disaster management.
differs from the other phases because it focuses on long-term measures for reducing or
Notes
eliminating risk. The implementation of mitigation strategies can be considered as part of
the recovery process if applied after a disaster occurs.
policies consist of long- and short-term prevention and preparedness measures and
Notes
immediate response mechanisms. They also include appropriate administrative
structures to manage disaster response, financial systems to fund and facilitate them, the
mechanisms to ensure that policies and strategies are continuously reviewed and revised
in the light of experiences within the country and in other parts of the world. We, as
teachers as responsible citizens of our country, should be a part and parcel of the
disaster preparedness drive taken up in the country.
Continuity Plan (BCP) includes planning for non-IT related aspects such as key
Notes
personnel, facilities, crisis communication and reputation protection, and should refer to
the Disaster Recovery Plan (DRP) for IT related infrastructure recovery/continuity.
IT disaster recovery control measures can be classified into the following three
types:
1. Preventive measures: Controls aimed at preventing an event from occurring.
2. Detective measures: Controls aimed at detecting or discovering unwanted
events.
3. Corrective measures: Controls aimed at correcting or restoring the system
after a disaster or an event.
Good disaster recovery plan measures dictate that these three types of controls be
documented and exercised regularly using so-called “DR tests”.
4.3.4 Strategies
Prior to selecting a disaster recovery strategy, a disaster recovery planner first
refers to their organization’s business continuity plan which should indicate the key
metrics of Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for
various business processes (such as the process to run payroll, generate an order, etc.).
The metrics specified for the business processes are then mapped to the underlying IT
systems and infrastructure that support those processes. Incomplete RTOs and RPOs
can quickly derail a disaster recovery plan. Every item in the DR plan requires a defined
recovery point and time objective, as failure to create them may lead to significant
problems that can extend the disaster’s impact. Once the RTO and RPO metrics have
been mapped to IT infrastructure, the DR planner can determine the most suitable
recovery strategy for each system. The organization ultimately sets the IT budget and
therefore, the RTO and RPO metrics need to fit with the available budget. While most
business unit heads would like zero data loss and zero time loss, the cost associated with
that level of protection may make the desired high availability solutions impractical. A
cost-benefit analysis often dictates which disaster recovery measures are implemented.
Some of the most common strategies for data protection include:
1. Backups made to tape and sent off-site at regular intervals.
2. Backups made to disk on-site and automatically copied to off-site disk, or made
directly to off-site disk.
3. Replication of data to an off-site location, which overcomes the need to restore
the data (only the systems then need to be restored or synchronized), often
making use of Storage Area Network (SAN) technology.
4. Private Cloud solutions which replicate the management data (VMs, Templates
and disks) into the storage domains which are part of the private cloud setup.
These management data are configured as an xml representation called OVF
(Open Virtualization Format), and can be restored from the database once a
disaster occurs. For example, Disaster Recovery with oVirt.
5. Hybrid Cloud solutions that replicate both on-site and to off-site data centers.
These solutions provide the ability to instantly fail-over to local on-site
hardware, but in the event of a physical disaster, servers can be brought up in
the cloud data centers as well. Examples include Quorom, rCloud from
Persistent Systems or Ever Safe.
6. The use of high availability systems which keep both the data and system
replicated off-site, enabling continuous access to systems and data, even after
a disaster (often associated with cloud storage).
4.4.5 Documentation
To maximize their effectiveness, disaster recovery plans are documented in written
form and in a manner that is easily understood by those who will need to use it. In
addition, the plan must also be readily available as well, since digging for a hard-to-find or
misplaced disaster recovery plan at a time of a disaster can complicate the effect of the
disaster. Furthermore, because of the constant changes that occur in the modern
business environment, disaster plans are most effective when updated frequently. This
way, the plans will also cover new and existing threats as such threats develop.
Adequate records need to be retained by the organization. The auditor examines records,
billings, and contracts to verify that records are being kept. One such record is a current
list of the organization’s hardware and software vendors. Such list is made and
periodically updated to reflect changing business practice. Copies of it are stored on-site
and off-site and are made available or accessible to those who require them. An auditor
tests the procedures used to meet this objective and determine their effectiveness.
Site Designation
A hot/cold site is a location that an organization can move to after a disaster if the
current facility is unusable. The difference between the two is that a hot site is fully
equipped to resume operations while a cold site does not have that capability. There is
also what is referred to as a warm site which has the capability to resume some, but not
all operations. The decision a company makes when determining what type of site to
establish often hinges on the results of a cost-benefit analysis as well as the needs of the
organization. A disaster recovery plan spells out how relocation to a new facility is to be
conducted. Companies perform occasional tests and conduct trials to verify the viability
and effectiveness of the plan and to determine if any deficiencies exist and how they can
be dealt with. An audit of a company’s Disaster Recovery Plan primarily looks into the
probability that operations of the organization can be sustained at the level that is
assumed in the plan, as well as the ability of the entity to actually establish operations at
the site. A review of the disaster recovery plan generally involves examining and testing
the procedures included, conducting outside research relating to Disaster Recovery,
determining reasonable standards relating to implementation, touring, examining, and
researching the outside facility.
The auditor can verify this through paper and paperless documentation and actual
physical observation. Testing of the backups and procedures is also performed to
confirm data integrity and effective processes. The security of the storage site is also
confirmed.
Data Backup
Data backups are central to any disaster recovery plan. An audit of backup
processes determines if: (a) they are effective, and (b) if they are actually being
implemented by the involved personnel. Some techniques that are used to accomplish
this include direct observation of the processes in question, analyzing and researching
the backup equipment used, conducting computer-assisted audit techniques and tests,
examining of paper and paperless records.
The continual backing up of data and systems can help minimize the impact of
threats. Even so, the disaster recovery plan also includes information on how best to
recover any data that has not been copied. Controls and protections are put in place to
ensure that data is not damaged, altered, or destroyed during this process. Information
technology experts and procedures need to be identified that can accomplish this
endeavour. Vendor manuals can also assist in determining how best to proceed.
Drills
Practice drills conducted periodically to determine how effective the plan is and to
determine what changes may be necessary. The auditor’s primary concern here is
verifying that these drills are being conducted properly and that problems uncovered
during these drills are addressed and procedures designed to deal with these potential
deficiencies are implemented and tested to determine their effectiveness.
training includes updates to existing job positions and testing to confirm proficiency.
Notes
Some of the issues related to this activity verify that: (1) policies are being enforced,
(2) testing is effective, and (3) training is adequate.
Insurance Issues
The auditor determines the adequacy of the company’s insurance coverage
(particularly property and casualty insurance) through a review of the company’s
insurance policies and other research. Among the items that the auditor needs to verify
are: the scope of the policy (including any stated exclusions), that the amount of
coverage is sufficient to cover the organization’s needs, and that the policy is current and
in force. The auditor also ascertains, through a review of the ratings assigned by
independent rating agencies, that the insurance company or companies providing the
coverage have the financial viability to cover the losses in the event of a disaster.
Effective DR plans take into account the extent of a company’s responsibilities to
other entities and its ability to fulfill those commitments despite a major disaster. A good
DR audit will include a review of existing MOA and contracts to ensure that the
organization’s legal liability for lack of performance in the event of disaster or any other
unusual circumstance is minimized. Agreements pertaining to establishing support and
assisting with recovery for the entity are also being outlined. Techniques used for
evaluating this area include an examination of the reasonableness of the plan, a
determination of whether or not the plan takes all factors into account and a verification of
the contracts and agreements reasonableness through documentation and outside
research.
Communication Issues
Good disaster recovery planning ensures that both management and the recovery
team have disaster recovery procedures which allow for effective communication. This
can be accomplished by ensuring contact information is easily accessible and that drills
conducted test for communication abilities. A good disaster recovery plan includes not
only internal communication considerations but external issues as well. Such external
communications considers issues related to communication between the organization
and outside individuals and organizations, such as business partners. Procedures to test
this communication capability generally mirror those of the organization itself. The
disaster recovery evaluates these procedures and assumptions to determine if they are
reasonable and likely to be effective. Some techniques used by a DR auditor in
evaluating readiness include testing of procedures, interviewing employees, making
comparison against the DR plans of other company and against industry standards, and
examining company manuals and other written procedures. The auditor can verify
through direct observation that emergency telephone numbers are listed and easily
accessible in the event of a disaster.
Emergency Procedures
Procedures to sustain staff during a round-the-clock disaster recovery effort are
included in any good disaster recovery plan. Procedures for the stocking of food and
water, capabilities of administering CPR/first aid, and dealing with family emergencies
are clearly written and tested. This can generally be accomplished by the company
through good training programs and a clear definition of job responsibilities. A review of
the readiness capacity of a plan often includes tasks such as inquires of personnel, direct
physical observation, and examination of training records and any certifications.
4.4.8 Planning
Once that has been done, the team can design the Business Continuity Plan(s). It is
important to make the plan simple enough so that it can be executed without any
problems during a crisis and it needs to be based on steps previously described. Also
one has to define the threshold for every incident so that appropriate measures can be
taken depending on the incident. Once the BCP plans has been designed and approved,
it needs to be tested under realistic conditions as untested BCPs historically fail. David
Notes
Spinks, Director of Information Assurance EDS, stresses that, “we see far too many
Business Continuity Plans and/or Disaster Recovery Plans that whilst they have been
tested were done so in unrealistic ideal conditions and thus we do not truly recognize
what really happens in a crisis.”
It is important to always tie aims during the Business Continuity Management
Process to the business needs. For example, it is not the function of an Information
Security to protect all information. They just need to protect the information which the
business needs to protect. The same needs to be done with Business Continuity
Planning.
Once the plan has been tested and designed, it is important to revaluate the plan
and retest it as business processes change periodically as the requirements of
companies are changing from time to time. For example, a company buys new
equipment on which it is heavily dependent. Thus, a BCP should be revised after
purchases, upgrades of equipment and so on. It is, therefore, important to realize that the
Business Continuity Plan is a living document, which needs to be changed and adjusted
if business requirements change.
Finally, it is equally important to educate everyone in the company of the BCP.
Since it will be the employees who are there to react to (or in some cases prevent) an
incident, a BCP’s success or failure depends largely on the way it is implemented by the
employees. If not properly trained regarding the BCP, its likelihood of success is
seriously diminished.
and regulations. Changing business processes (internally to the institution and externally
Notes
among interdependent financial services companies) and new threat scenarios require
financial institutions to maintain updated and viable BCPs.
New business practices, changes in technology, and increased terrorism concerns
have focused even greater attention on the need for effective business continuity
planning and have altered the benchmarks of an effective plan. For example, an effective
BCP should take into account the potential for wide area disasters that impact an entire
region and for the resulting loss or inaccessibility of staff.
The threat of pandemics, in particular, an outbreak of influenza caused by the bird
flu virus, is causing many financial institutions to update their BCPs. Citibank’s Action
Plan, outlined in a July 2006 presentation by Greg Gist, Senior Policy Advisor in
Citibank’s Office of Business Continuity, includes a pandemic preparedness plan,
headed by a Pandemic Preparedness Task Force consisting of senior staff from each
region. The plan, which includes triggers and actions based on World Health
Organization Pandemic Phases, provides all employees with pandemic preparedness
communications and kits, modifies existing business continuity plans (e.g., to reflect high
absenteeism rates associated with pandemics), and integrates pandemic awareness in
financial and risk planning.
Citibank’s plan also includes assumptions about the effect on customers, such as
increased delinquencies, increased requests for additional credit, and an increase in
Internet banking volume.
Key to any BCP is an impact analysis differentiating between critical and non-critical
functions. A function may be considered critical if the implications for stakeholders or
damage to the organization are regarded as unacceptable. Perceptions of the
acceptability of disruption may be modified by the cost of establishing and maintaining
appropriate business or technical recovery solutions. A function may also be considered
critical if dictated by law. Next, the impact analysis results in the recovery requirements
for each critical function. Recovery requirements consist of the time frame in which the
critical function must be resumed after the disaster, the business requirements for
recovery of the critical function, and/or the technical requirements for recovery of the
critical function.
A BCP should consider and address interdependencies, both market-based and
geographic, among financial system participants as well as infrastructure service
providers. In most cases, recovery time objectives are much shorter than they were even
a few years ago, and for some institutions, recovery time objectives are based on hours,
minutes and seconds.
BCP requirements within a firm can vary from application to application. In financial
services, applications deemed critical require a high available and redundant architecture
to meet ever-demanding service level agreements. The more critical the application is,
the greater the need for continuous availability. For example, in the case of a fixed
income trading system, it is imperative that trading can resume within seconds following
a systems interruption. Rapid resumption of trading mitigates loss of business and
preserves business reputation. The cost of downtime not only affects the lost trades but
also impacts the financial services business reputation.
4.6 Summary
Disaster management (or emergency management) is the creation of plans
through which communities reduce vulnerability to hazards and cope with disasters.
Disaster management does not avert or eliminate the threats, instead it focuses on
creating plans to decrease the impact of disasters. Failure to create a plan could lead to
damage to assets, human mortality, and lost revenue. Currently, in the United States,
60% businesses do not have emergency management plans. Events covered by disaster
management include acts of terrorism, industrial sabotage, fire, natural disasters (such
as earthquakes, hurricanes, etc.), public disorder, industrial accidents, and
communication failures. The development of emergency plans is a cyclical process,
common to many risk management disciplines, such as Business Continuity and Security
Risk Management, as set out below:
Ɣ Recognition or identification of risks
Ɣ Ranking or evaluation of risks
Ɣ Resourcing controls
Ɣ Reaction planning
Ɣ Reporting and monitoring risk performance
Ɣ Reviewing the Risk Management framework
7. What can happen to make a moderate-size event into a large natural disaster?
Notes
8. If you erect a barrier for protection against some natural event, what
detrimental effect can follow?
9. How does government policy sometimes act counterproductively in reference
to mitigating natural hazards?
10. A natural disaster is fractal. Explain what this means and how it provides
insight into larger events.
11. ‘Sustainable management of natural resources is essential to provide livelihood
and environmental security.’ Discuss.
12. Define Total Disaster Risk Management Approach and refer to its pertinence
for Disaster Management Cycle.
13. Highlight development perspective to disaster management with focus on
disaster management in riverine regions.
14. Discuss major issues involved in disaster preparedness,
15. Discuss the role of Information Technology in disaster prevention.
16. Discuss the importance of Rescue and highlight various rescue methods.
17. ‘Shelter rehabilitation is concerned with various aspects.’ Discuss.
18. What are the major features of Emergency Operations Centre?
19. ‘Various types of damages are required to be considered for undertaking
effective damage assessment.’ Discuss.
20. Highlight guiding principles of rehabilitation and reconstruction.
21. Define the term ‘disaster’ and describe its classification.
22. Write a note on disaster cycle.
23. Describe the trends in disaster management.
24. Explain the different methods of risk mapping.
25. Describe structural and non-structural mitigation measures in disaster
management.
4. hazard
Notes
5. Catastrophe
Session 2:
1. Fire Department
2. floods
3. development
4. all hazards
5. DHS or Department of Homeland Security
Session 3:
1. mandatory or required
2. Hazard Mitigation Grant Program
3. floodplain
4. Whole Community
5. stakeholders
Session 4:
1. Business Crisis and Continuity Management (BCCM)
2. Crisis Management
3. 63
4. DHS or The Department of Homeland Security
5. Organizational learning
Session 5:
1. Australia, New Zealand
2. tolerance
3. monitoring and reviewing
4. top-down
5. profiling
Session 6:
1. Traditional Analysis, systems thinking
2. split-second
3. holistic
Session 7:
1. managed risk
2. priorities
3. contents
4. credits
5. Assessment
II. True or False
1. True
2. True
3. True
4. True
5. True
6. False
7. False
compromised and cell phone towers overburdened — inaccessible for the most part. At
Notes
the time, some were able to communicate on their Blackberry devices; this was largely
due to the fact that the user community was not so large as to over -tax the infrastructure
in place to support it.
The waterfalls are tested at the National September 11 Memorial at the World Trade
Center site, Friday, July 15, 2011 in New York. The memorial will be dedicated in a
ceremony on September 11, 2011, the tenth anniversary of the terrorist attacks. One
World Trade Center, center, rises above the site. (AP Photo/Mark Lennihan).
Regardless of the particular communications tool you use, the lesson here is to
ensure that you have alternatives and contingencies in place should one or more
communications channels be impacted by an event.
We also learned the importance of communicating with the right people. Many
organizations communicated with their impacted employees and customers, but — as I
learned from talking with a number of large, international firms after the event — the
importance of communicating with remote regions and offices outside the immediate
footprint of the crisis was often overlooked.
In many cases, companies’ domestic and foreign offices complained that they were
not in a position to answer questions about their own New York offices — the head office,
in many cases — because they were not getting any direct information. Many were
forced to gather information through the media and other channels.
Since 2001, the phenomenon of social networking has revolutionized
communications. News about a crisis and your ability to adequately respond to it will be
broadcasted from numerous sources through a variety of social networking tools. The
way that you use these tools to get your message out and monitor what is being said
about your organization should be addressed in your crisis management and business
continuity plans. A poorly implemented and orchestrated corporate communications plan
can undermine the efforts of your crisis response team.
Who’s in Charge?
Another challenge that large, multi-divisional companies experienced was in trying
to manage the crisis in a consistent manner. Many buildings near the World Trade Center
were occupied by numerous companies or autonomous divisions of the same corporation.
As a result, inconsistent decisions were made regarding whether to evacuate or stay in
place.
In some cases, management made the decision to not only stay in place, but to
continue to function as a normal work day. Employees became confused and concerned
when others began evacuating.
There were also problems with employees being directed by an anonymous
figurehead who claimed to be in charge. In times of crisis, people look for direction from
those they know and trust — the day-to-day management that they are in the trenches
with every day. When someone new starts shouting orders, employees look to their
management — people they know — to confirm and validate these commands.
Wherever possible, companies’ crisis management framework should provide for
corporate-wide response decisions to be communicated through the normal
organizational structure.
Leadership Styles
Notes
Most senior level executives in a firm have achieved success because of their ability
to perform long-term strategic planning. The most effective leadership style for these
individuals is “participatory management,” where they solicit information from a wide
group of resources, process the information and determine the proper course of action.
This management style takes time and is effective for decisions that are not
time-sensitive.
During times of crisis, the most effective leadership style is “command and control.”
People look for someone in authority to make decisions for them, quickly and confidently,
without having to form committees and perform studies on possible courses of action.
Not all senior-level executives have the skills to lead under these conditions.
An article in the July edition of Continuity Insights (Turning Disaster Response on Its
Head) discusses the advantages of a structured network over a top-down, command and
control style of response. While the article makes many valid points, the thing we learned
from 9/11 was not that command and control was ineffective, but rather that the
command and control resources were not adequately prepared for or provisioned to
effectively guide us through such a crisis. Improvements to an organization’s response
can be achieved by being better prepared for a transition to command and control
management — not by abandoning the strategy altogether.
Succession Plans
Companies need to ensure they have complete and updated succession plans for
all levels of management. After 9/11, many organizations’ leadership teams were either
geographically separated without the means to communicate, victims of the mental
health issues noted above or tragically killed in the event.
Business continuity planners need to identify all managerial positions that
require immediate succession, maintain up-to-date succession plans and ensure
that the identified next-in-command is adequately trained and prepared to assume
that role if required. Failure to achieve this, in some cases, may have contributed to
the shortcomings in the command and control aspects of crisis management during
9/11.
Perfect Practice
In the aftermath of 9/11, I spoke with numerous companies that were surprised by
their limited recovery capability — even with years of testing and exercising. The problem
was that they did not perform “perfect practice.”
One large financial services firm had been exercising successfully for years out of
their alternate trading floor facility. At least twice a year, they would set up operations in
their alternate trading floor and actually conduct production operations from this facility.
What they had failed to do, however, was to completely sever access to the production
data center in the same building that housed the trading floor. So yes, the alternate
trading site had all the desktop tools and phones to support a trading floor operation, but
without connectivity back to the production office, these devices were little more than
paperweights.
This issue is closely tied to the SPOF issue discussed earlier. As contingency
planners, we need to identify the SPOFs in alternate facilities as well as any resources
and infrastructure shared with your production facilities. During recovery exercises, all
connections back to infrastructure and technology in the home office must be severed.
Additionally, be aware of how much time and effort it takes to prepare for a recovery
test. Many organizations that were testing for years before 9/11 were only successful with
their tests because of special backups or special configurations they mirrored in the test
preparation process. Of course, disaster events do not come with advanced warning and
there is no time for pre-recovery preparations. Ensure that you can successfully recover
with a moment’s notice — without relying on pre-recovery setups.
A Word of Caution
Whenever I discuss lessons learned from the events of 9/11, I always like to add a
word of caution. As tragic and devastating as it was, in terms of business continuity
issues, it could have been worse due to the nature of the event and the impact it had
worldwide. There were few expectations that companies would be fully operational and
responsive the next day. Organizations were afforded the luxury of time and
Notes
understanding as they struggled to get back to normal operations.
The events that impact only your organization; that are not necessarily newsworthy;
where your customers do not share the tragedy or hardship; where the expectation that
you should be responsive to your customers’ demand for products and services
remains — will challenge you above and beyond, and in different ways, than an event like
9/11. Think about potential crisis situations that could be limited to your organization —
ones that may not impact your customers, vendors or competition.
Changed Forever
As I solemnly await the fourteenths anniversary of the tragic events of 9/11, my
thoughts are with the loved ones I lost and the business associates that perished. As a
crisis management, business continuity and disaster recovery professional, I remember
that day as a turning point for how we conduct our business. I hope that the lessons we
learned are not lost with the passing of time.