Disaster recovery assumes that something has hap- pened to disrupt business, and it’s time to start things back up again.

1. TheUltimate
GuidetoBusiness
Continuity
From CSO Magazine and CSOonline.com
CONTENTS
Pre-incident planning and incident response
Disruptions A to Z
Exercises
B U S I N E S S R I S K L E A D E R S H I P

2. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY
2
A
disasterjustisn’twhatitusedtobe.Inyears
gone by, most companies defined a disaster
as an act of nature—a hurricane, tornado,
flood or fire that ravaged a building and
wiped out a company’s ability to conduct
business. Today, with worldwide networks, Web apps and
24/7 call centers, even a common electrical failure could
spell disaster, if it brings communications and online trans-
actions to a screeching halt.
Business continuity involves much more than planning
for disasters, though. It’s about taking steps to ensure that
unexpected events have a minimal impact on a company’s
ability to keep the business going. The focus is on continuity,
notcrisis.Goodplanningmusttakeintoaccounteverything
from people and communications to travel and facilities.
Becausebusinesscontinuityanddisasterrecoveryshare
much in common, they are often lumped together. However,
before we get started, it’s important to mention that the two
things are actually distinct, but intertwined.
Disaster recovery assumes that something has hap-
pened to disrupt business, and it’s time to start things back
up again. Disaster recovery is the set of steps and processes
involved in restoring a business to normal operation after
its operations have been partially or completely interrupted
by some event. Business continuity planning, on the other
hand, is making plans to keep your business going even
when something unexpected happens. A good business
continuity plan might perhaps keep a situation from truly
turning into a disaster.
All of this planning creates a hoary goal that can never
be met 100 percent. It involves weighing risks and tradeoffs,
thinking about bad scenarios and worse, making tough
decisions about which business functions are most impor-
tant, and determining the dollar value of keeping your busi-
ness running even in the face of horrendous events.
However, this gut-wrenching work has several benefits.
It can enhance employee safety, mitigate corporate liability,
help meet regulatory requirements, and protect or even
enhance your company’s public issues. In short, it’s good
for business, as long as it’s done in a smart, risk-oriented
way. This paper is intended to help you sort through the
many issues at stake and begin to plan and prioritize how
to protect your business from the damaging effects of any
interruption—whether it’s a small incident that affects just
one building, or a major event that makes headlines across
the country.
Section 1: Pre-Incident Planning
and Incident Response
GOOD BUSINESS CONTINUITY planning starts with
being proactive. That means taking concrete steps to plan
for an incident weeks, months or even years before it actu-
ally occurs. There’s no one-size-fits-all approach. Much
of business continuity planning varies based on the size
of your company, your line of business, and the locations
of your company, customers and suppliers. No matter the
particulars, however, there are certain fundamentals you’ll
need to cover—from making a business case to pulling
together a team to potentially hiring a third party to help.
We’ll walk you through each step.
Step 1: Establish the Business Case
If you want to make an effective business case for business
continuity, you need to make its effects tangible, before
disaster strikes. That means emphasizing not just the
importance of risk mitigation, but also the business value
and competitive edge that a strong business continuity plan
can provide. That’s easier said than done, but here are some
tactics that can help.
Useregulatorycompliancetoyouradvantage.Incertain
industries, regulations will define your business continuity
strategy. Especially if your company is in the healthcare,
financial services or insurance industry, the need to comply
with regulations may dictate your thresholds for recovery.
Aim to create a business continuity plan that reflects
your company’s culture. Business continuity means differ-
ent things to different people. The type of business continu-
ity plan you design and how you sell it will be influenced
by your company’s culture and organizational structure.
Understanding this cultural landscape will help you craft
a plan that is less likely to meet resistance from other parts
of the business.
Encourage grass-roots support by meeting individually
with people in different business units. A good business
continuity plan creates alignment among security, IT and
corporate strategies and policies. Lay the groundwork for
thatbymeetingwiththepeopleinindividualbusinessunits
and trying to understand their mindset and expectations.
Stay flexible. Asking for support for a business con-
tinuity program doesn’t mean you’re asking the business
to treat every application and piece of infrastructure the
same way. “Just because you need failover capability for
one application doesn’t mean you need that same capability
for all files and systems,” said Jim Grogan, vice president of
consulting product development for SunGard Availability
Services. “Creating a blended solution helps the business
become confident they are spending money wisely based
on business principals and policies.”
Find ways that business continuity can add to the bot-
tom line. Finally, try to approach business continuity as
a way of doing business—not as an add-on. One way to
get executives to see that is to convince them how having
a strong plan in place can improve revenue. “When [the]
LaSalle [Bank Building] had a major fire in 2004, they con-
tinued to process,” said Jack Smith, vice president and man-
ager of global IT business continuity at ABN-Amro (which
owned LaSalle at the time). “No critical functions were
interrupted, despite it being one of the largest fires in the
history of Chicago. Staying up when others may be down is
good business—not to mention good public relations.”

3. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY
3
Step 2: Follow a Planning Process
Onceyouhavethego-ahead,howdoyouactuallygetstarted?
Fortunately, there are a pretty standard set of things a busi-
ness continuity plan should encompass. Obviously the first
priority is to protect human life. However, much of the plan-
ning focus is necessarily on how to manage the smaller, less
critical events, which happen much more frequently than
catastrophic ones.
According to Tom Olzak, an author and blogger for
CSOonline.com who has almost three decades of experi-
ence in network engineering and security, well-planned
business continuity event management has several goals:
To minimize the business impact of each incident.
To address human safety.
To mitigate corporate liability due to lack of due
diligence.
To meet regulatory requirements.
To protect the organization’s public image by a fast,
professional response.
“A business continuity plan includes all documentation
necessary to mitigate business impact and to recover bro-
ken processes,” Olzak writes. Chief among those are plans
for putting manual processes in place, so that you can con-
tinue to deliver products or services—even at a lower level
of output—until the business has fully recovered.
The plan should also include instructions for recovering
individual devices or systems, disaster recovery processes
for catastrophic events, and possibly contacts or agree-
ments for alternate data centers or business office sites as
well as alternate staffing.
Part of the initial planning process should include creat-
ing a list of stakeholders for each supported system. These
lists will become part of your overall incident response plan.
AccordingtoOlzak,stakeholdersmightinclude:dataowner,
process owner, managers, public relations, legal, security,
help desk, facilities management, labor unions, and key
customers.
Step 3: Build and Train
the Team (or Teams)
As soon as possible, you’ll want to start pulling together a
team—or teams—of people who’ll be responsible for busi-
ness continuity planning. The sooner you can involve them
in the planning process, the easier it will be to get buy-in
and ensure that the plan will meet your business needs. It’s
likely that you’ll need both an upper-level planning team
and a front-lines incident response team.
Theupper-levelplanningandexecutionwilllikelycome
from a management incident response team (MIRT), some-
times called a crisis response team. This cross-functional
team might include the CISO/CSO, chief privacy officer,
general counsel, chief compliance officer, business line
presidents and public relations (or functional equivalents).
During an event, this group ensures that accurate and com-
plete data is gathered concerning the incident, and works to
communicate this information to the stakeholders.
A front-lines incident response team, sometimes a
cyber incident response team (CIRT), will be more focused
on answering questions like: “What happened? How did
it happen? What damage has been done? And how do we
prevent it from happening again?” That team is likely to
include the following:
Team Manager. Has overall responsibilitytoensure busi-
ness objectives are metduringaresponse and is alsorespon-
sible for communicating status to senior management.
Technical Lead. Charged with assessing impact on the
technologyinfrastructure,andresponsibleforcontainment
and recovery activities as they relate to information tech-
nology. This person might supervise one or more engineers
or programmers.
Public Relations. Responsible for communicating with
investors, the press, and other outside entities.
Security. Encompasses facility, personnel, and informa-
tionsecurity.Iftheseareseparatedepartments,eachshould
be represented on the CIRT.
IS Support. Assists with containment and recovery, and
establishes alternate methods of information processing
when primary systems or network paths are disrupted.
FacilitiesManagement.Responsibleforresolvingpower
issues, coordinating the move to alternate locations, and
conducting structural assessments and repair fall here.
Labor Union. If applicable, can help diffuse possible
reaction to unusual management decisions and provide
employee perspectives of events.
Representatives of Critical Business Functions. Depend-
ing on the scope of the problem, might include one or two
administration or operations teams, or many more.
Once the team members are identified, they should meet
to begin building an incident response plan. “The plan
should include all activities related to containing and miti-
gating effects and improving future response,” Olzak said.
“The plan is then used to train the team. Thorough training
produces a team which reacts to events quickly, without
confusion. It helps ensure all members understand their
responsibilities, the roles of others, and team cooperation
when it’s needed most.”
Step 4: Have a Business
Impact Analysis Format
The next step is to understand your exposures and make
good decisions about your recovery strategy. If you have a
solid strategy, developing your plans becomes straightfor-
ward. “The most critical part of the whole process is your
business impact analysis, including the risk assessment,”
said Debbie Hoppenjans, manager of business continuity
planning at Siemens IT Solutions and Services. “That’s
where you need to spend most of your time.”
At its core, a business impact analysis is the process by
which you determine what systems or processes need to
be recovered and how quickly, according to “Building an
Enterprise-Wide Business Continuity Program ” by Kelley
Okolita, published by CRC Press in 2009. Broadly speaking,

4. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY
4
the more time you can take to recover a business process,
the more options you will have to recover it, and the less
it will cost. Likewise, a business impact analysis can help
you justify the expense of faster recovery capability on time-
sensitive processes.
“All business functions and the technology that supports
them need to be classified based on their recovery priority,”
Okolita writes. “Recovery time frames for business opera-
tions are driven by the consequences of not performing the
functions.” If certain functions aren’t performed during the
down-time, what will really happen?
To do a business impact analysis of any given team, list
everything done by that group, and analyze each of these
functions against three areas: “financial risk of not per-
forming that function, regulatory risk of not performing
that function, and customer or reputational risk of not
performing that function,” writes Okolita. “... It is all about
impact. What happens to the company if we do not do this?”
Then, part two of the process is to ask, how long before we
see this impact?
To help you assess levels of recovery, you might create
a chart where you assign each business function a rating
that looks something like this (excerpted from “Building an
Enterprise-Wide Business Continuity Program ”):
Rating Timeframe Description
AAA Immediate
recovery
Must be performed in at least two
geographically dispersed locations that
are fully equipped and staffed.
AA Up to 4
hours to
recover
Must have a viable alternate site that
can be staffed and functioning within
the four hour timeframe required.
A Same day
recovery
Must be operational the same business
day and must therefore have a viable
alternate site that can be staffed and
functioning within the same business
day.
B Up to 3 days Can be suspended for up to 3 business
days, but must have a viable alternate
site that can be staffed and functioning
by the fourth business day.
C Week 1 Can be suspended for up to a week, but
must have a viable alternate site that
can be staffed and functioning the sec-
ond week following an interruption.
D Week 2 or
greater
downtime
allowable
Can be suspended for greater than
one week. A maximum number of days
should be identified for this function.
Step 5: Evaluating External Resources
Evaluating Business Continuity Consultancies . Feeling
overwhelmed? The good news is, there are plenty of consul-
tancies and service providers who can make sure that your
business continuity needs are met. BC/DR planning con-
sultants include large firms such as Accenture, Booz Allen
Hamilton, Deloitte, HP Enterprise Services (formerly EDS),
IBM Global Services, and PricewaterhouseCoopers. There
are also dozens of boutique consulting firms—regional and
niche players that just focus on business continuity plan-
ning. How can you be sure that the consulting firm has the
expertise to fill in your business continuity gaps? Here are
five questions to ask when choosing the best business con-
tinuity consultant for your company.
1.Doyouknowwhatyouneed?Togetstarted,you’llneed
to conduct a business impact analysis, and the consultants
should perform a recovery option study to determine your
company’s priorities. Make sure the consultant is willing to
outline your recovery options and the amount of time each
option will take.
2. Will the firm present several options?“Whenitcomes
to business continuity, it’s about planning and services,
and it should be less about technologies,” said Stephanie
Balaouras, analyst at Forrester Research. “It’s your strategy
for responding to business disruption and covers people,
facilities and technologies. It covers everything from pan-
demic planning to ‘Microsoft Exchange is down.’”
Firms that offer BC/DR planning and consulting
services should be able to help you do a business impact
analysis, identify critical business processes, map all the
dependencies and define how critically you need them, and
what the impact would be on revenue. “When you under-
stand that, you can build a business case and invest in the
right solutions,” she adds.
3. Are the consultants certified in business continuity
planning? Certification ensures that business continuity
consultants are well-versed in all aspects of BC/DR plan-
ning. Certification bodies include the Business Continuity
Institute, DRI (The Institute for Continuity Management),
Business ResilienceCertificationConsortium International,
and the University of Virginia.Specialized certifications are
available for emergency management, risk management,
audit, security and technology. DRI International offers
certification specifically for business continuity consul-
tants and vendors to ensure that practitioners understand
professional practices.
Each subject area includes the professional’s role within
the area and an outline of recommended knowledge within
the subject area. The 10 subject areas cover topics such
as risk evaluation and control, business impact analysis,
emergency response and operations, awareness programs,
training, crisis communication and coordinating with
external agencies.
4. Are they willing and able to prioritize? You can save a
lot of money by evaluating your BC/DR priorities, said Ben
Thornton of Corus, a disaster recovery and business conti-
nuity consulting firm. “If you need systems back up in six
hours—you can, but you’ll have to throw a lot of money into
that. Instead, consultants should be asking, ‘Do you need
that? What can you wait a couple of days on, or a week on?’
and establish priorities.” Perhaps only 20 percent of the
total environment must be recovered in minutes or hours.
5. Do they offer BC/DR solutions to fit your budget?
Nearly one-quarter of companies surveyed by KPMG

5. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY
5
have not been able to justify the costs of business continu-
ity plans. Most of these companies are focused in the large
enterprise with 500 to 999 employees, according to the
study.Consultantsshouldknowyourbusinesswellenough
to understand budget constraints and your immediate BC/
DR needs.
“We let the business [units] decide what they want to
spend and help coordinate based what the numbers tell
us,” Hoppenjans explains. “We let [business impact analy-
sis] data tell us what each department is doing as far as BC
planning, what their risks and what their vulnerabilities
are, and they decide what to spend. Some responses may
be customer- or contract-driven.”
Evaluating Business Continuity Services and Soft-
ware. The frequency of common business interruptions
has boosted the market for external disaster recovery
services—which include data center services, backup and
mobile recovery services—to $3 billion to $4 billion a year,
according to Gartner. Here are some points to consider
when evaluating business continuity and availability ser-
vices and software.
Weigh the benefits of specialized business continuity
planning software. Business continuity planning software
can help large companies formalize the BC framework and
continually update the plan. “Of companies that actually
have plans, 50 percent use software and 50 percent use
informal software” such as Excel spreadsheets, said Steph-
anie Balaouras, a senior analyst at Forrester Research in
Cambridge, Mass.
Software providers such as SunGard Data Systems
(which acquired Strohl Systems Group), eBRP Solutions,
and U.K.-based Office-Shadow (now part of ICM Business
Continuity Services Limited) offer BC planning solutions.
Regulated industries that face audits, such as life and health
insurance companies or financial institutions that require
uniformity in how they build their plans, may benefit from
one of these software packages.
Consider the major business continuity/availability
service providers and some niche players. Hosted busi-
ness continuity/availability providers typically provide
cold sites (data center space to house your own equipment
and backup tapes), warm sites and hot sites (an operation-
ally ready data center), as well as data archival, restoration
capabilities, and managed services.
SunGard, HP Enterprise Services, and IBM Global Ser-
vices own the worldwide market share in this segment with
the broadest set of services. Smaller services players such
as Rentsys Recovery Services are also making inroads into
the market.
Let recovery requirements dictate the level of dedicated
BC services. Subscribing to a data recovery service that you
can trigger when a disaster strikes is fine if data can be
restored in two to four days. But increasingly, as businesses
require 24/7/365 availability, ¬more dedicated data recovery
services are required. Just make sure you’re not paying for
more than the business need dictates.
Use caution when outsourcing business continuity func-
tions overseas. Because of terrorism and natural disasters
typicallynotseenintheUnitedStates,suchastsunamisand
monsoons, companies should take caution when outsourc-
ing backup, recovery and business continuity operations
offshore.Somepopularoutsourcingcountriesmaynothave
the recovery capabilities found in the United States.
Step 6: Build a Crisis Communication Plan
Communication during a crisis can be thought of on several
levels—communicatingwithinternalconstituentsandstaff;
communicating with business partners, suppliers and cus-
tomers; and communicating with the general public, often
via the media. We’ll cover these aspects from the inside out.
Internal Communication. The people who work at the
organization must be kept apprised, as much as is rea-
sonable, during a crisis. Many organizations tend to keep
employees in the dark during a difficult time, and that’s a
mistake, said Brit Weber, program director at the School of
Criminal Justice at Michigan State University in East Lan-
sing, Mich. “They all have associates who want to know”
what’s going on when there’s a crisis, Weber said. “Employ-
ees will start calling the media if there’s a major crisis like
an evacuation. That’s why it’s vitally important to tell your
employees what’s going on,” so they don’t give out wrong
information.
Emergency notification systems can use many differ-
ent means of communication—phone calls, text messages,
e-mail—to contact employees, vendors or other critical per-
sonnel. A calling tree with home and mobile phone num-
bers can be a simple first step.
“Although [emergency notification systems] may have
slick bells and whistles, I have found that you don’t need
them,” ABN Amro’s Smith said. “You need a system that
will call a lot of people all at once and have them call into
a central conference call number.” He also suggests hav-
ing an automatic phone forwarding system through your
phone company. That way, clients whose only contact is an
office phone number can be rerouted to an employee’s cell
or home phone.
In some cases, companies also have discovered that
portals or intranets have been useful during a crisis. That’s
what happened at Gale GFS, anyway. The property manage-
ment company has an Incident Reporting System that oper-
ates as asortof business blogon its intranetportal. Creating
it wasn’t complicated, said Chris Messineo, assistant VP for
IT at Gale GFS (a unit of the Gale Company), which man-
ages and oversees properties around the world. Essentially,
anemployeecanlogontotheWeb-basedsystemwithauser
name and password and write about a hurricane, an explo-
sion or any other incident. Gale GFS designed and built its
system to automatically send out an e-mail notification to
everyone in the region. Through an online control panel,
administrators can determine who gets notified by region
and by company. E-mail alerts pop up on cell phones and
smartphones, as well as on computer screens.

6. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY
6
Each case or incident is archived in the system so that
others can retrieve them from the database in order to study
them. Each session, however, is available for viewing only
by the employees working with a specific client so as to
maintain security.
External Communication. Keeping employees in the
loop is only part of the equation. During an adverse event,
the crisis response team will determine the appropriate
parties that must be notified both under the law and con-
sistent with corporate values, as many organizations will
decide to go beyond the legal or contractual requirements to
protect the clients and consumers. The ultimate goal of all
crisiscommunicationisessentiallytoupholdlong-standing
relationships and assure key stakeholder groups that your
company understands how the event impacts them and
what you intend to do about it.
When something really bad happens, such as a natural
disaster that forces a company to evacuate headquarters
or a security breach that results in lost or stolen data, the
media will come calling. How organizations deal with the
blitz could affect the long-term impact of the crisis. An effec-
tive and constructive response might help put the company
in a positive light during a tough time. An ineffective or
antagonistic reaction might make a disastrous situation
even worse.
Here are some tips for dealing with the public—and in
particular the media—after a security incident or business-
interrupting event.
Be truthful. Honesty really is the best policy. “One of
the most important things is to try to understand what the
media is interested in. The media is interested in accurate,
truthful information—something that will be of interest to
their readership [or viewers],” said Michigan State’s Brit
Weber. “If you don’t know the answer, indicate that it’s
information you don’t know at this point and hope to [pro-
vide] later.
Provide useful information. Organizations should be as
forthcoming as possible with information about the specific
incident,andprovideanyrelevantbackgroundinformation
that will help the media put the situation in proper context.
“Tell them what you do,” Weber said. “Provide a fact sheet or
release that explains what your business does.” If you don’t
provide information, reporters will look for other sources
inside and outside the company, who might provide inac-
curate or outdated information.
Trainyourspokespeople.Inacrisis,manyorganizations
automaticallyputtheCEOinfrontofthemedia,Webersaid.
But if the chief executive or other designated spokesperson
isn’t comfortable or familiar with reporters, cameras and
microphones, that could backfire. “All spokespeople need
to be trained to deal with friendly interviews and in-your-
face ambush interviews,” said Jonathan Bernstein, presi-
dent of consultancy Bernstein Crisis Management. “It’s not
an intuitive skill.”
Establish an ongoing relationship. Organizations that
keep media outlets informed on an ongoing basis will be
less likely to have misunderstandings when a crisis arises.
Theymightevenrelyonthemediaforhelpindisseminating
information. “It’s very important for corporations to have a
collaborative or partnership process with the [local] media,”
said Weber. “Don’t wait for an incident to happen.”
Don’t let the media be the only source of news.Consider
using communications tools such as employee newsletters,
orallowingofficialstomakepersonalappearancestogroups
such as a chamber of commerce or business association.
SECTION 2: DISRUPTIONS A TO Z
DIFFERENT SITUATIONS REQUIRE different types of
plans. Below, we list some specific wrinkles and possible
approaches to different types of threats.
Corruption
Corruptioncanbelikeaformoftax,buttheremaybemount-
ing pressure not to pay. In the past, there were allegations
that the extractive industries -- particularly energy and oil --
were paying off lots of people, in order to operate in corrupt
environments, said Chris Voss, a former lead hostage nego-
tiator for the FBI and now CEO of The Black Swan Group.
Now, “under pressure from human rights groups, there’s
a set of voluntary principles that the extractive industries
signed off on, saying that they would contribute to trying to
build legitimate law enforce infrastructure instead of pay-
ing people off and encouraging corruption.”
In places where the law enforcement infrastructure
is not well-developed, these companies are also building
their own security forces and compounds. If an economic
downturn makes them unable to afford this protection, it
will affect their security.
Extortion
Here’s one CISO’s plan if he receives an extortionist’s
e-mail.
1) Contact general counsel and CIO executive team (and
whomever else they deem appropriate), and jointly make
assessment of the company’s risks as well as the credibility
of the threat. Discuss all possible factors that could mag-
nify the risks (such as impending big executive news or an
acquisition).
2) Recommend contact with appropriate electronic
crimes law enforcement officials for tactical advice and
(hopefully) assistance. (For example, are we the first to
evergetthisthreat?Aretheseknownperps?Hastherebeen
prior experience with them or with this MO?)
3. If top management agrees to involve external law
enforcement, begin an investigation jointly with law
enforcement. Formulate detection and response strategy
with them to prepare to acquire and preserve evidence.
4. If senior management declines to involve external

7. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY
7
law enforcement, then expect to be tasked to assemble a
“red team”. Regardless of whether management decides to
pay, this team will search for and eliminate the vulnerabili-
ties that make the threat credible, and take other steps to
diminish risk of attacks.
5. Simultaneously expect to be working with crisis man-
agement teams, and especially the investor relations and
corporate PR staff, to prepare an official position for the
media. If a U.S.-based company, consider the Sarbanes-
Oxley implications of every decision. That means senior
finance folks will also need to be involved.
6. Warm up disaster and business continuity plans and
providers depending on the nature of the threat, perhaps
increase backups in frequency or type. (For example, go
to “full now” instead of “incremental” for critical systems
at risk.)
Floods
Flooding is generally localized and somewhat predictable.
If you operate business in an area prone to flooding, be sure
to have a good plan in place for doing system backups, and
plan to have redundancy in an area outside of the flood zone.
Remember that even if your company facilities are on high
ground, employees and delivery persons may be unable to
get to the facility due to flood water over the access roads.
Finally, expect a lot of residual impact due to employ-
ees, vendors and customers being directly impacted. Even
if corporate facilities are not impacted, employees may have
personal losses of home and property and be busy attempt-
ing to deal with these losses and the cleanup involved.
(See also Hurricanes.)
Global Hotspots
How to do you keep executives and employees safe in global
hotspots? Chris Voss, a former lead hostage negotiator for
the FBI and now CEO of The Black Swan Group, offered
some thoughts on the risks and trends in different areas:
Haiti: “Economic kidnapping is like a virus; once it gets
into a society it’s very hard to get it out. Criminals find out
it’s pretty easy money. That’s what’s happening in Haiti, I
think. There’s not much wealth in Haiti, but kidnapping
numbers have to be up to 250 or so Haitian-Americans. If
they grab someone who has family in the US, whatever they
get—if they get $5k to $25k per kidnapping—that’s really
serious money in Haiti.”
Mexico: The Mexicans are “covering up a massive kid-
napping problem. I recently had a conversation with the
head of security for an international company based in
Mexico; he tried to tell me, ‘Kidnapping, it’s mostly crimi-
nal on criminal’—which is nonsense. They’re diminishing
the problem, trying to keep the larger world from criticizing
them. So it’s getting worse and worse all the time. Tremen-
dous amounts of legitimate businessmen are leaving that
region.”
Philippines: “In the Philippines, at the end of the Burn-
ham-Sobero kidnapping case [2001-2002], the response
of the Philippine and U.S. governments really sort of took
their kidnapping infrastructure apart, left the Abu Sayyaf
in somewhat of a shambles. They began to move toward
bombings at that time. But that’s run its course and they’re
getting back into it, starting with locals. I think it’s a matter
of time before they are looking for Westerners again.”
South America: “Colombia is much safer than it was
ten years ago. Amazing difference. When I went in 1998,
the guerillas had complete control of the countryside, and
you could not travel there safely. In 2005, I went to a going-
away function in the countryside with no military escort.
We were hardly armed at all. Now sometimes when you put
pressure on crime in one area, it simply moves to a differ-
ent area. Some of the Colombian kidnappers quit, and some
are in jail. Of the others, some moved. So it’s on the rise in
Venezuela and Ecuador.”
Hurricanes
While it’s impossible to predict the severity and timing of
any given hurricane, if you conduct business in certain
parts of the country, you can be fairly well-assured of the
need to plan for the high winds, heavy rains and flooding
that mark these strong storms. Obtain adequate insurance
both for hurricane wind damage and flooding, and make
sure that your business continuity plan encompasses the
loss of power and running water.
If it’s necessary to have a data center in a hurricane zone,
make sure the building is built to sustain hurricane dam-
age and has back up and battery power. Better still, have a
back-up data center in another part of the country, and test
it by bringing the main data center down and bringing up
the back-up one.
The data is only one part of the picture, though. Be sure
that employees understood where to go and what to do dur-
ing an evacuation. It’s important to have a way to send out
alerts to all employees, even if the hurricane strikes on a
weekend or when employees are traveling. Alternately, you
could set up special numbers so people can dial-in and alert
the company as to where they are.
If a facility goes down because of power failure or flood-
ing, many organizations need a physical location to place
their staff so operations can continue. Tampa-based OSI
RestaurantPartners,whichownspopularrestaurant-chain
brands including Outback, maintains a comprehensive
facility in Atlanta, which they have had to use at least twice
in the last 4 years.
“Once we declare a disaster, we have 50 cubes available
there,” said OSI Chief Information Officer Dusty Williams.
“But we have to go up and make sure everything is up and
running and ready. So we have people, from an IT perspec-
tive, head up 72 hours out ahead of any storm in private air-
crafts to make sure everything is ready to go.”
The process of relocating people and sometimes equip-
ment is time consuming, labor intensive and costly. The
company even has contracting companies on standby for
employees that may need assistance with boarding up

8. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY
8
houses before they depart. As complicated as it all sounds,
Williams said, thankfully, most of it can be planned.
“With hurricanes, you have a distinct advantage over an
earthquake or a tornado,” Williams said. “You really don’t
know when they will strike.”
Kidnapping
Chris Falkenberg, president of Insite Security, a New York-
based consultancy, outlines four preventative measures
companies can consider to minimize kidnapping risk.
1. Establish a counter-surveillance program. An orga-
nization with an effective counter-surveillance program
has good shot at detecting a threat, increasing security and
motivating potential kidnappers to go elsewhere. In addi-
tion to having personnel manning the gate, a counter-sur-
veillance program has personnel who are watching to see
who is watching others. This means looking for people who
might be walking back in forth frequently in front of a loca-
tion, taking video or photographs, or counting footsteps to
determine the measurements of a given location.
A counter-surveillance program might also use CCTV
infrastructure in a proactive way, Falkenberg said. “A coun-
ter-surveillance team can use all of the intelligent video in a
proactive means, particularly if you have the ability to iden-
tify cars and license plates to keep an eye out for who seems
to be in your perimeter.”
2. Utilize GPS. Falkenberg recommends companies put
in place technology to be able to receive GPS transmissions
from cell phones or emergency GPS transmitters. While
this technology may only go so far because the device will
likely be taken from the victim, in some scenarios, it could
still aid in rescue. “There is some technology coming out in
which you can program a cell phone to send out a distress
signal,” Falkenberg said. “What we are using with some
clients is a handheld GPS transmitter which you can essen-
tially use as a portable panic button.”
3. Train employees on how to stop a kidnapping in prog-
ress. When an event takes place, victims find themselves
forced into vehicles with commands shouted at them like
“Get in the car! We are going to kill you!” While this is terri-
fying, it is actually much easier to turn the situation to your
advantage at that point than it is once you are incarcerated,
Falkenberg said. However, this kind of reaction to threats
is not second nature—it is something that has to be learned.
He recommends talking with employees about what to do if
threatened and rehearsing it.
4. Consider families, too. A crisis management and con-
tinuity plan for the family outside the office is key. However,
the family component can’t be addressed with the same
techniques used for employees because families are not
going to tolerate the kind of protection that c-level execu-
tives tolerate at work. Also, it is just not cost effective. Falk-
enberg suggests training family about potential dangers
and how to behave if someone attempts to abduct them.
More tips and advice. Falkenberg also recommends
companies train employees about how to act as hostages
in the event that they are abducted. Tips include touching
everything in sight to leave lots of fingerprints and talking
to the kidnappers so they see you as a human, not an object.
Falkenberg recommends mentioning family, children, and
other personal facts that may aid in getting them to see you
as a person.
McCann, senior VP of security operations and training
at Kroll, also advises finding some kind of resonant chord
with abductors to try to get them to show more empathy
toward you. Mining your captors for information also can
be helpful. You may be able to discern whether you were
abducted for political or religious reasons, for ransom or
for all of the above.
It’s also important to remember that people are work-
ing to get you released. “The feeling of hopelessness works
completely against you,” he said.
Pandemic
Business risk consultancy Control Risks has identified ten
questions organizations can use to determine their level of
preparedness in the event of a pandemic emergency. Brian
Kaye, vice president and national practice leader for busi-
ness continuity, walks us through these questions.
1. Have you defined reliable information sources that
you will monitor for situational awareness in the event of an
influenza pandemic? The information gathered from these
sources will be critical for your decision-making process.
2. Has top management documented a set of guiding
principles? This would outline, among other things, the
commitments the firm will make to protect its employees
and the budget available for planning.
3. Does the firm have in place a robust Crisis Manage-
ment & Communications program that will allow execu-
tives to make key decisions and communicate messages on
a timely basis? The question in pandemic planning, accord-
ing to Kaye, is not how do we pick up the pieces; rather it
is how do we live with this situation over the course of the
next 18 months?
4. Is there a business continuity program in place that
documents key products and services that will receive pri-
oritized attention during a time of reduced staff availability?
If only 50 percent of staff is in the workplace on a particular
day, which business activities will be conducted and which
will be deferred?
5. Has the firm implemented a robust employee health
program that will guide ‘safe workplace’ protocols, such
as facility access, social distancing, and surface cleaning?
Surface cleaning and social distancing both prove effective
and can have a major impact. The conventional perspec-
tive is that people are universally susceptible to influenza
pandemics, and we must rely on these approaches to limit
contagion.
6. Has the firm documented Human Resources provi-
sions that outline actions employees should take if they
become ill and how to handle sick leave and family care
issues? It sounds so simple, but if you don’t provide clear

9. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY
9
instruction regarding sick leave, employees will show up
to work sick and ask whether they should stay or go. You
need to remove any uncertainty in the mind of the employee
so that they can stay home and get better without risk of
spreading the virus to other employees.
7. Are key strategies for remote connectivity of workers
backed up by actual IT capabilities in terms of VPN band-
width and hardware availability? You need to be realistic
and ask whether your existing IT infrastructure can sup-
port your entire workforce working from home at once.
8. Has the firm prepared guidance for expatriate
employees and travelers? Does the firm have the ability to
re-create travel patterns for employees, to support investi-
gation into risk exposure?
This goes back to ensuring that your sources of informa-
tion are reliable and establishing your guiding principles.
This was a lesson learned from SARS, Kaye said. ”If you
have the ability to retain employees travel history and re-
create their travel pattern, you have the potential to pin-
point their point of exposure.”
9. Has the firm discussed its pandemic preparedness
efforts with key vendors, suppliers and other business part-
ners?“Eventhestrongestin-housepandemicpreparedness
program can be rendered worthless if the company has a
dependence on a third-party that is compromised,” Kaye
said.
10. What is the firm’s position on the procurement and
stockpiling of both pharmaceutical and non-pharmaceuti-
cal protective measures? If there is a formal program, who
is responsible and are all key provisions up to date? “Anti-
viral treatments are receiving so much attention right now
that it is almost tempting to mistake them for a pandemic
preparedness program,” said Kaye. “I cannot stress enough
that they are not one in the same.”
Tornados
Business continuity planners in tornado alley have much
in common with those in hurricane areas—but also key
differences. Tornadoes have smaller funnels, but they can
appear in groups, may feature dramatically higher winds,
and can strike with far less warning than a major hurricane
typically provides. Tornadoes can stretch more than a mile
acrossandstayonadestructivegroundpathformanymiles,
wiping out structures and picking up objects and debris
along the way.
It’s impossible to build a structure that can withstand
the strongest tornado, so redundancy is key. However, it
may be possible to have redundant data centers within an
easy drive of one another.
With tornado patterns in mind, Cancer Treatment Cen-
ters of America (CTCA) built two data centers in greater
Chicagoland so that they sit 59 miles apart and in a pattern
in which the likelihood of tornado hitting both of them is
nearly impossible, said Chad Eckes, chief information offi-
ceroftheSchaumburg,Illinois-headquarteredorganization.
The locations were chosen based on information from the
Federal Emergency Management Agency about weather
patterns.
“The first main design from a BCP standpoint was to
have complete redundancy in our data. Anytime there is
anyproductiondatawrittentotheprimaryitisimmediately
mirrored over to our DR data center,” said Eckes. “Literally,
we are up to date in our second center within 15 seconds.
That is, with a complete copy of all clinical systems.”
Geoff Craighead, vice president of High-Rise and Real
Estate Services at Securitas Security Services USA and
author of “High-Rise Security and Fire Life Safety,” advises
clients he works with in tornado zones to consider all physi-
cal elements of a building when creating a business continu-
ity plan.
Tornado warnings, when they are possible, are often
broadcast on both radio and television, which of course can
be monitored in the average security or network operations
center. Craighead said if an organization is warned there
is possibility of a tornado in the near future, preparations
could include securing or moving outdoor objects such as
trash containers, planters, signs, furniture, and vehicles
that may blow away or cause damage to people or property.
Craighead also recommends pruning tree branches that
may cause damage to the building. Occupants should clear
all objects from desks and working areas, and all exposed
paperwork should be stored in closed cabinets and other
containers, he said. Valuable equipment and documents
should be moved to interior rooms.
SECTION 3: EXERCISES
PRE-INCIDENT PLANNING FOR business continuity
events should start by developing realistic scenarios that
could arise. Typical examples would deal with external
fraud, a malicious insider, a technology hack, lost media, a
data center disaster and an external security breach.
A tabletop exercise is a great way to get business conti-
nuity plans off the written page without the interruption of
a full-scale drill. Rather than actually simulating a disaster,
the crisis management group gathers for three hours to talk
through a simulated disaster.
It can be a full-scale production that involves local first
responders and professional moderators. Or it can be a sim-
pleaffairconductedbyin-housedisasterplanners.Theidea
is to have an escalating scenario that unfolds in several seg-
ments. After each segment, small working groups discuss
how they would respond, then report back to each other
before hearing from moderators about what happens next.
Tips for an Effective Tabletop
Decide how much gloom and doom you want. When plan-
ning a tabletop, Joe Flach, VP of Eagle Rock Alliance, asks,
“Do you want this to be a physical event with assets dam-
aged and destroyed, or do you just want those things inac-
cessible? Do you want death and injuries, or just to test the

10. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY
10
ability to get work up and going someplace else?”
Test how quickly you can pull together key players.
At public utility PSE&G, Director of Corporate Security
Mike Paszynsky said the crisis management group doesn’t
always know when a tabletop will occur. Instead, the com-
pany tests how quickly it could reach all those individuals.
Specialized software pings team members’ phone numbers
and communications devices, alerting them that the crisis
management team is assembling.
Involve everyone. Make sure each person has a role. If
onepersonanswersallthequestions,haveothersenacthow
they would respond if that person were unavailable.
Acknowledge that first-timers may be nervous. “Some
business managers don’t want to show that they may not
know how to respond to a certain issue,” said Rad Jones of
Michigan State University. To make them more comfortable,
consider an hour-long orientation. Later, work your way up
to a three-hour exercise, and then invite local law enforce-
ment and first responders to participate.
Encourage misinformation. During a crisis, Flach said,
“you’re always asked to make timely decisions based on
incomplete and inaccurate information.” You can simulate
the confusion this causes by giving the groups handouts
containing different information.
Take the lessons with you. A designated note-taker
should keep track of what happens; always leave time for
lessons learned.
Scenario 1: A Disgruntled Employee
Starts a Data Center Fire
Segment 1: A small fire begins just outside the data center,
setting off the alarm system. By the time the fire department
arrives, the fire has been extinguished by the sprinkler sys-
tem, but the building has been evacuated. Employees and
people who work in nearby buildings want to know what
has happened, as does the media. Then, as people begin to
go back inside, the receptionist takes a call from someone
who indicates that the fire is “only the beginning” because
the company hasn’t treated him right.
Segment 2: An employee discovers a box in the lobby
with a handwritten warning that it contains anthrax. Man-
agement decides to evacuate the building again. Calls come
in from concerned family members, and local TV crews
arrive. Meanwhile, the sprinklers in the data center have
caused the company’s e-mail and Web servers to stop work-
ing, which means the company’s e-commerce site is down.
Segment 3: A woman calls the newspaper claiming to
be the wife of an employee who’s just been laid off and who
has left printouts about anthrax scattered in his home office.
The newspaper calls the company with this information.
The health department is on scene. The company’s call cen-
ter (at another location) is swamped with calls from custom-
ers who can’t place orders at the website.
Segment 4: The police apprehend a suspect. The health
departmentdeterminesthattheboxdidnotcontainanthrax
and the building is safe. Some employees are afraid to come
back to work.
Based on a suggestion by Rad Jones, academic special-
ist at Michigan State University’s School of Criminal Justice
and former director of security and fire protection for Ford
Motor.
Scenario 2: An Explosion at a Nearby
Chemical Plant Releases Deadly Toxins
Segment 1: An explosion occurs at a chemical plant two
miles from headquarters. Local news media are reporting
that an undetermined number of the chemical company’s
employees have been injured or killed, and officials are try-
ing to determine to what extent deadly toxins have been
released into the air. No one is sure what caused the blast.
Segment 2: Area hospitals are crowded with people
reporting breathing difficulties, and public health officials
are encouraging people all over the city to “shelter in place”
as a precaution. Headquarters is currently upwind of the
explosion. The company needs to decide what to tell its
employees to do but isn’t sure whether it has the legal right
to tell people not to leave. People are speculating that terror-
ists caused the explosion.
Segment3:Thecompanytellsemployeesnottoleavethe
building, but many do anyway, saying that they don’t trust
what they’re hearing and that they need to get home and
take care of their families. The security guards at the front
door also want to know what to tell people on the street who
want to take shelter in the company’s lobby. The cafeteria
reports that it has already sold out of lunches.
Segment 4: The immediate danger passes, and authori-
ties say the explosion was an accident. Several employees
have been hospitalized, and others are upset that the com-
pany cafeteria did not have more supplies on hand.
Based on a suggestion by Mike Paszynsky, director of
corporate security at PSE&G, a Fortune 500 public utility
based in Newark, N.J.
Scenario 3: A Pandemic Flu Hits
Segment 1: A pandemic flu starts sickening and killing peo-
ple in Hong Kong, where the company does not have any
operations. The medical community fears that the disease
will spread to other continents and said that anyone who
has been to Hong Kong in the past three weeks could be
a carrier. As a precautionary measure, the company con-
siders asking employees who have traveled to Hong Kong
within the past three weeks not return to work until they
see a doctor. The company also considers having security at
the front door ask every visitor whether he or she has been
to Hong Kong in the past three weeks.
Segment 2: A few people in the region are diagnosed
with the disease, and the absentee rate at schools rises.
Employees start calling in sick, but it’s not clear whether
they are ill or afraid of going out in public. Enough people
are absent that the company struggles to keep systems up,
take orders and pay bills.
Segment 3: The disease spreads, and absentee rates

11. CSO EXECUTIVE GUIDE THE ULTIMATE GUIDE TO BUSINESS CONTINUITY
11
shoot up to almost 50 percent. Some employees are sick
or caring for sick family members. Employees are asking
the company to provide for vaccinations and masks, even
though the medical community said those precautions
may not be effective. Critical functions are not getting done.
Managers consider letting crucial staff volunteer for a lock-
down—those who volunteer would receive vaccinations
but then not be able to leave the building until the danger
passes. They also consider rerouting work to another loca-
tion or calling in retired workers to help out.
Segment 4: The disease has peaked, but many employ-
ees are still leery of returning to work.
Based on a suggestion by Joe Flach, VP of Eagle Rock
Alliance, a business continuity consulting firm in West
Orange, N.J.
Catastrophic Threats
What does the Department of Homeland Security view
as the country’s biggest risks? A hint came in its National
Preparedness Guidelines, released in 2007, which listed
these 15 unranked catastrophic scenarios. Collectively they
demonstrate the need for a far-reaching range of response
capabilities.
Improvised nuclear device
Aerosol anthrax
Pandemic Influenza
Plague
Blister agent
Toxic industrial chemicals
Nerve agent
Chlorine tank explosion
Major earthquake
Major hurricane
Radiological dispersal device
Improvised explosive device
Food contamination
Foreign contamination
Foreign animal disease
Cyber attack