Business Continuity: Preparing for H1N1 and BeyondInterview with Alan Berman of DRI International and AnneMarie Staley of NYSE The H1N1 threat has put business continuity and disaster recovery (BC/DR) in the headlines. But behind the scenes, the discipline has long been active in helping global organizations respond to myriad natural and man-made disasters.
In a discussion about H1N1 and other BC/DR issues, Alan Berman of DRI International and AnneMarie Staley of NYSE touch upon:
Berman, the Executive Director of DRI International, is a CBCP, a member of the ASIS BS25999 technical committee, a member of the Committee of Experts for ANSI-ANAB, a former member of the NY City Partnership for Security and Risk Management and the co-chair for the Alfred P. Sloan Foundation committee to create the new standard for the US Private Sector Preparedness Act (PL 110-53). Over a career that has spanned 25 years, he has served as a President and CIO for a major financial institution, National Practice Leader for Operational Resiliency for PricewaterhouseCoopers and Global Business Continuity practice leader for Marsh.
Staley is the Senior Manager of Business Continuity Planning and Disaster Recovery for North America for NYSE Euronext, which includes the New York Stock Exchange in New York. She is responsible for managing all aspects of the US-based business continuity and disaster recovery efforts. These efforts include risk assessment, business impact analysis, disaster recovery scenario development and response strategies, contingency plans, exercises, and training & awareness campaigns.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about business continuity and disaster recovery and we are talking with Alan Berman the Executive Director of DRI International, and with AnneMarie Staley, Senior Business Continuity Manager with the New York Stock Exchange. Al, AnneMarie, thanks so much for joining me today.
ANNEMARIE STALEY: Thank you Tom.
FIELD: Al, let me throw the first question to you just to start us out here. Will you tell us a little bit about DRI International and your role there please?
ALAN BERMAN: Sure. DRI International is celebrating its 21st year of education and certification in the business continuity arena. We are the premier certifier of individuals. We have about 7,500 active certified members in over 90 countries around the world. We conduct educational training courses in over 40 countries around the world and I am really the Operations Manager as well as the Financial Manager for DRI International.
FIELD: Very good. AnneMarie, perhaps you could do the same and tell us about yourself and your role in terms of business continuity disaster recovery with the Stock Exchange?
STALEY: Okay. I have been with my organization for ten years and in fact, when I started the company was called Securities Industry Automation Corporation, which was otherwise known as SIAC. We provided IT services of the New York Stock Exchange and the AMEX that is the American Stock Exchange. SIAC and AMEX have since merged with NYSE and the NYSE has merged with Euronext, which is a conglomerate of European stock exchanges. The NYSE Euronext also has interests in Asia and the Middle East so as a result we now have a very large global footprint for the NYSE brand. I am responsible for managing all aspects of the U.S.-based business continuity disaster recovery efforts and that covers risk assessment, business impact analysis, disaster recovery scenario development and response strategies, everything from plans, exercising, training and awareness campaigns.
FIELD: Well that is a lot to keep you busy these days.
FIELD: I have got a couple of questions that I would like to throw to both of you. Al let me toss this your way first, what are the biggest disaster threats that your organization is dealing with today?
BERMAN: I think we are all aware of H1N1, the threats posed by terrorism, threats posed by weather conditions and geology, but I think the threats that most of us feel would tend to be mundane day-to-day activities that shut down organizations, viruses, loss of communication, small fires. Things that tend to be very mundane to us, which cause the greatest disruptions and for those people who do this on a day-to-day basis I'm sure AnneMarie will tell you the same thing, we more worry about pipes bursting and telephone networks going out than we do the big hurricane coming.
So despite the fact that you know a lot about the big event, it is the small events that tend to be incapacitating to us.
STALEY: I would agree wholeheartedly with Al. And I would just add that you know one of the biggest threats that we face of course is the loss of staff of IT infrastructure both of which are ultimately our most important assets. You can have all the systems and redundancies in the world but if you don't have the people to run it, it doesn't do much good and vice versa.
FIELD: Well you are exactly right. AnneMarie, what do you find to be the greatest regulatory challenges now for yourself and your organization?
STALEY: Frankly I think it is the lack of the global unified regulation with more corporations having such a global footprint we constantly have to take into consideration the country, the state, local and agency laws, which can not only vary enormously even within the same country, but they are constantly changing to reflect new best practices and legislation. And the financial service industry just in the U.S. regulatory requirements by the SEC or the GAO have different and sometimes conflicting ramifications than Europe, where right now the European Commission holds way [ph].
There is currently a proposal for a European College of Supervisors, which only highlights the fact that the financial industry oversight within European countries is also very fragmented.
FIELD: Now Al, you deal with different countries as well as different industries, what do you find in general to be the greatest regulatory challenges for professionals that are dealing with business continuity and disaster recovery?
BERMAN: I think probably the biggest challenge is a total lack of knowledge as to which regulations affect them as they go around the world, and I think AnneMarie alluded to that. It is just in the United States that we have probably 84 different guidances, regulation standards covering business continuity; as we go global it becomes even more apparent that we do need to have what everybody's looking for is this convergence.
I think the other thing from a corporate point of view is now that, faced with voluntary corporate certification in emergency and disaster management and business continuity and finding those people who are really qualified to be able to certify companies.
FIELD: So Al given the kind of challenges you talked about in the regulatory landscape, what are some of the initiatives that DRI is leading these days?
BERMAN: DRI is an organization that certifies business continuity professionals so they can help companies, but one of the things that we just discussed is the regulatory environment and the certification environment. We have just produced a new certification in conjunction with NFTA (National Fire Prevention Association) to train auditors and certify auditors and lead auditors to be able to perform valid certification audits and business continuity emergency and disaster management to corporations.
The initiatives with NFTA we are also working with organizations like the American Red Cross, the Chamber of Commerce, the DHS and FEMA in trying to bring some coalition of regulations and standards so that people actually know what it is they can do and not be overdone by the regulations but actually become more prepared by doing these things.
FIELD: Now AnneMarie, for a professional such as yourself working in the field, what do you see is the role of an organization such as DRI International?
STALEY: Well besides providing training in current best practices and certification, DRI International has always served as an excellent networking tool for me through different events and their presence after many different industry conferences and symposiums. And also having the certification in my field shows my employers and clients that I do take my career very seriously and I think that is very important in that we do have a standard in that we can reach a benchmark and have that accreditation.
FIELD: And certainly that is a role that has gotten a lot more prominence in the last several years.
STALEY: Absolutely. It is a very growing field. I think a number of magazines have already named it as one of those top seven growing professions out there.
FIELD: See Al your travel schedule is not going to lighten now.
BERMAN: No, but as side note the Department of Labor has actually going to recognize business continuity as a profession this year.
STALEY: That is fantastic.
FIELD: That is a first.
STALEY: It is about time.
BERMAN: Yeah we have been working with them for about seven months and they are separating it from IT and disaster recovery emergency response and I think it is a response to the marketplace thing that that there really is a requirement for people who are trained in business continuity.
FIELD: Now Al the big conversation that we have been hearing for the past several months has been about H1N1 or the so-called Swine Flu. What should organizations be doing to prepare for this particularly in the U.S. when we expect the flu season to be active, and what are the actually doing?
BERMAN: Well I think two or three things have to happen. One is there is a whole administrative piece to this that companies are finally starting to look at. For example, what is the human resource policy about people being absent? As you know, H1N1 and H5N1 and most of the pandemics require social distancing, i.e., the ability for people to work at home, and there aren't corporate policies in place to deal with that now so that becomes one of the big issues when you start to deal with it. Obviously the preventive measures will help to do this but I think that organizations have to look at triggers. For example in the United States you can't look to the federal government you have to look at the municipal triggers because the municipalities, just like in New York when they closed all the schools, was a municipal decision.
So if I were sitting with corporations and I do this every day, the first thing I would tell them is to look to your local health organizations, look to you local police and fire departments so that you can at least get information disseminated because the triggers will be pulled by the state or the municipality and certainly not the federal government.
So it is important, especially if you are a large organization in multiple states to be able to reach out to those resources and reach out to them now before something happens.
STALEY: Absolutely. A lot of companies have actually matched their pandemic planning to the WHO Phases, the World Health Organization, and found that they weren't sufficient and they only served to explain the transmissibility and not the lethality factor. So that was a big lesson learned and like Al said, it should be based on municipalities.
FIELD: So given your organizations global scope AnneMarie, how have you approached H1N1?
STALEY: Well we have actually developed local pandemic teams and global pandemic teams and we have discussed and identified those triggers that Al mentioned and of course reviewing all of our policies for sick leave and travel and social distancing. We have also taken a look at the screening processes actually for people coming into our facilities, which we realize that not everyone can do because sometimes that can get a little bit expensive and consuming when using some of the new equipment out there like thermoscans, these machines that take your temperature in a second.
STALEY: And we have also started reviewing all of our recovery procedures, supply chains, vendor contact information, making sure those teams and recovery lists are up to date, as well as taking a look at information technology and how our [indiscernible] process and change management process is currently. One of the things you don't want to do if you do have a high staff absenteeism and everyone is working from home is to deploy a major upgrade or change at that time. So we have been taking a look at all of those processes.
FIELD: Well it sounds like one you have got a good plan in place here, but two maybe this has given you an opportunity to get some of those global synergies that you wanted to see.
STALEY: Absolutely. That is one of the unintended benefits for BCP.
FIELD: Now Al from what AnneMarie has described, the New York Stock Exchange is a good example of the preparation for H1, not only are they talking about it but they are actually doing it. Give us a sense of what is the actuality; how prepared are organizations for an outbreak of pandemic if it indeed does return?
BERMAN: Well I think on paper everybody looks like they are prepared. I think the issue is going to be again, and AnneMarie talked about this earlier, the critical nature of having the right personnel available. Distribution of Tamiflu, which has to be taken within the first 36 hours of symptoms so that critical people can show up at work and do their job. Making sure that their families are taken care of so that they can concentrate on their job. But the rudimentary pieces are how do you distribute drugs and antibiotics in a relatively chaotic environment is critical. And so I think that during the next few months you are going to see a lot of organizations try to figure our what the distribution is. After all, if you can treat it early it has very little effect on most people, but if you treat it late then the degree of seriousness increases dramatically. So the ability to start treatment immediately is important and the other thing is the IT environment, testing an IT environment with 80 percent or 70 percent of your staff working from home is really a product of how well your organization is from a virtual networking point of view. People think about the collapse of the internet but that is no the likelihood. The likelihood is phone networks will go down first so that testing has to be taken now and it has to be stress-tested now while things are relatively quiet.
FIELD: That makes sense. One last question for each of you; AnneMarie I would like to throw this your way first and then Al if you would like to pick up after her answer. For organizations unlike the Stock Exchange that might not be sure they have the right plan in place or haven't updated or tested their pandemic plan yet, what advice do you give them?
STALEY: Well it is very similar to what we, Al and I, were talking about before. This is the time now that they should begin reviewing the procedures they do have in place, taking stock of what their mission critical or critical processes are, whether they have the right people in place, whether they have some cross-training because we know the H1N1 doesn't respect rank or a company and it may hit anyone and we don't know who it will.
So making sure that they have those contingencies in place, the right people cross-training, up to date documentation, looking at their vendor supply chain, all of those are very important things that they should do.
BERMAN: Well my personal point of view is a disaster is a terrible time to start testing your plan. So I think that people do have to start looking at their plan and it starts with personnel and making sure that the personnel are available and that they can be connected remotely. Detection is obviously important and that will be in a lot of organizations security departments who are not used to this so they need to be tested, coordination with hospitals and how do you deal with people who do show up at work.
But I think that most people will look at the planning process from four or five facets if you will. One obviously is technology and its ability to deal with remote; two is personnel and making sure personnel can work from home or that there is a location that they can; three is the facility and making sure that the facility does have point where you can capture people coming into the building who obviously are ill; and four is to make sure that the management of the corporation, senior management and those people who are responsible, communicate well so that people understand the situation and don't overreact to it and understand that the organization is in control.
FIELD: That's well said. Al, AnneMarie, I want to thank you both for your time and your insight today.
STALEY: Thank you.
BERMAN: Thank you.
FIELD: We have been talking with Al Berman with DRI International and AnneMarie Staley with the New York Stock Exchange. For Information Security Media Group, I'm Tom Field. Thank you very much. ##