|
By Steven A. Burns, Principal, EverGreen Data.
Introduction
Risk. It’s something we all struggle with, four little letters that keep us up at night. Many of us have made a career out of understanding the potential impacts, and creating mitigation strategies and response plans for every possible event. The reality is, there are so many events, so many possibilities that it is utterly unimaginable to prepare your organization for every risk. Many of us turn to classic probability statistics to help determine what the most likely events are that may happen to our facilities, assets and the human beings that work for our organization. Unfortunately, the world of risk management is a different place today than it was just 20 years ago, and the bad news is that it will be a far different place in just 5 years than it is today. This alarming truth equates to the unequivocal fact that global risks and threats are evolving and multiplying faster than the speed at which risk management policies and implementation can keep pace.
Recent studies back this notion. A recent IBM study of 1200 CFOs in 79 countries indicated that in the past three years 62 percent of enterprises with over $5 billion in revenue encountered a major risk event. When a major risk event did occur (such as strategic, operational or geopolitical) 42 percent of these enterprises were not well prepared for the event (1). Studies like these highlight the complex nature of monitoring and responding to major risk events.
These types of statistics may seem alarming to some based on the maturity of the emergency management industry. Today, most enterprise organizations have robust business continuity plans. From formal business impact analysis to IT risk assessment, large organizations typically have teams of people addressing risk and impacts. Further, one of the most challenging aspects of operational risk management has matured over the past decade - recovery strategy planning. Trends in this aspect of business continuity have led to companies using their own sites as secondary failover sites for critical data. Data replication technologies have blossomed into real-time data mirroring techniques that protect critical company data. Work-force continuity has also been addressed by many enterprise organizations, from outsourcing to traditional work-area recovery sites, to the utilization of the latest ‘work-from-home’ technologies that allow non-critical personnel to access their systems remotely, allowing them to continue high-priority business operations during an extended outage. For decades enterprise organizations have formalized business continuity and IT disaster recovery plans. Typically, these plans identify recovery teams which include the personnel, contact information as well as specific recovery tasks that each individual is responsible for during an outage event. These plans are used as ‘scripts’ for recovery of critical business processes as well as the IT infrastructure that supports them. These plans are tested regularly, usually two to four times per year. Over the past decade, dozens of companies have emerged offering emergency notification systems, allowing emergency management personnel to instantly notify employees during a disaster or extended outage event as well as manage the recovery in real-time; typically called incident management.
Crisis monitoring introduction
With so many steps being taken to protect the organization from outage impacts of risk events, the obvious question is- “Why are so many enterprise organizations unprepared when the risk event actually occurs?” The need to answer these questions has led to innovation in one aspect of risk management; crisis monitoring. The simple fact remains that risk events do not just happen Monday through Friday during regular work hours. Risk events don’t care that it’s 2:00am on a Saturday and they don’t read the calendar. One of the largest holes in most enterprise risk management programs is the lack of round-the-clock monitoring of crisis events. The old saying ‘timing is everything’ has never rang more true than in dealing with crisis activities. Having a robust crisis monitoring solution in place may be the difference between success and failure of your risk management strategies.
Crisis monitoring defined
Crisis monitoring is defined as the process of monitoring local, regional, national and global threat activity and notifying critical personnel, or entire staff, of pending or ‘just-happened’ events. For many enterprise organizations, Crisis monitoring is a necessary addition to their risk management programs. The process of crisis monitoring links threat activity to the actually zip code of each facility. Each threat is assigned a criticality level based on the parameters set with each customer. Based on the criticality level of the threat, certain risk management, emergency personnel and/or executive team members are instantly notified of the event using an emergency notification system. This process is monitored and overseen by trained emergency management personnel, typically residing in an unmarked command center that is staffed 7x24. The combination of constant human vigilance and the latest threat monitoring technologies provide the highest level of security for each facility, and ultimately the people that work there.
Top three reasons that businesses are buying external crisis monitoring services:
1. Peace-of-mind: the basic fact is we can’t be in all the places at one time. Even the largest of enterprise organizations cannot provide ‘around-the-clock’ coverage with specialized personnel trained in emergency management disciplines. Also, for many organizations the costs of building a tier-one command center and staffing it 7x24 with experienced personnel, as well as building and maintaining data aggregation systems for local, regional, national and global threat activity far outweigh the benefits. This type of service lends itself to outsourcing.
2. So much data: today, with the explosive growth of Internet-related activities, such as blogs and wiki’s, data is available instantly. A common practice in the data-mining field is something known as ‘scraping’ whereby keywords can be pervaded across the Internet to find blogs that are discussing this or some related topic in real-time. These keywords and related information is pulled or ‘scraped’ off of the blog site, compiled and reviewed to look at their use based on date, time, gender, and a seemingly endless list of other criterion. Also, there are thousands of new sites being posted monthly dealing with topics relating to risk management, business continuity and crisis management. Most organizations do not assign employees to the task of keeping up with the last information pervading the Internet about risk and threat information. The costs quickly become prohibitive for large enterprise organizations to staff this type of data gathering and analysis. Outsourcing to a crisis monitoring firm helps customers gain the economies-of-scale associated with outsourcing specific tasks, as well as puts monitoring local, regional, national and global threat activity into the hands of experience professionals.
3. Changing world: certainly, some of the natural disasters, as well as social and geopolitical events that have happened over the past decade have not only changed our lives forever, but made us rethink certain notions about what it means to be safe. This paradigm shift has led many organizations to rethink certain risk management policies and practices. The need for round-the-clock vigilance has never been more prevalent than in current times.
Many believe that Global Warming has had some effects. Scientist believe that the raising of the earth’s atmospheric temperature has made led to a shift in weather patterns creating higher daily temperature swings. Some believe this higher fluctuation in daily temperature patterns has led to the increased potency of nature disaster effects, such as floods, tornadoes, tsunamis, as well as large, damaging hurricanes. Today’s natural disasters seem more costly both in the form of insurance claims as well as human life.
There is no doubt that the rise of terrorism over the past decade has put our country on alert. From a corporate perspective, this heightened level of constant vigilance requires the expertise to be able to quickly react and respond to any level of threat information. The question seems to no longer be ‘if’, but ‘when’ radical terrorist bent on the utter destruction and annihilation of our way of life will strike again. The larger the enterprise, the harder and more complex the task is of initiating responses aligned with recovery plans for the actual disaster. When seconds and minutes means the difference between success and failure, having a crisis monitoring service in place can help your risk management, emergency response and executive team respond instantly to events and get plans implemented and emergency notifications sent to employees.
Another serious concern within the risk management community is the potential outbreak of pandemic flu. If this does occur, up to date information will be critical for safeguarding employees as well as maintaining stable operations. One of the most difficult tasks will be the amount of people who will be required to perform job functions from their home for an extended period of time, a challenge that not only changes the face of business continuity planning, but also the recovery strategy of many enterprise firms.
With these types of potential deviations from ‘traditional’ risk management thinking posing the potential to wreak havoc in the event of a real disaster, having knowledge of the actual or pending event instantaneous could again mean the difference between success and failure.
What your crisis monitoring program should include:
1. Data feeds: many businesses have the same response to tying into a large number of data feeds specific to their needs… ”Where do I begin?” This may seem like an endless task, but remember it’s much more a matter of quality over quantity. One recommendation is to narrow down the content using keywords and key phrases that will link your data feeds to the most relevant information for your specific needs. Such examples might include “Daily Cyber Threat” as opposed to “Security”, this type of detailed key phrase will produce a more detailed, albeit smaller, number of links for feeds. Be sure to narrow your search focus in efforts to avoid large-scale global news feeds that can have you ‘drinking through the firehouse’ of useless information. There are also a tremendous amount of focused public-sector data feeds that can augment a commercial feed as well. Some Federal Government feeds can narrow to State levels and beyond. Please remember to check the authenticity, relevance and how often new data is posted.
2. Data aggregation: it’s one thing to tie into large numbers of data feeds, it’s quite another to know what do actually do with all that data. One of the most critical components to any crisis monitoring solution should be your data aggregation process. Many different experts vary on data aggregation techniques, but one that has work well has been Logical Facility Placement (LFP). LFP combines traditional GPS mapping, along with keywords and key phrases to create an automated process of crisis alerts based in the zip code of each facility. This system allows the potential pinpointing of just-happened events based on map placement and allows scaling outward based on mile radius’ from the event epicenter. This in turn should set of automated messaging to those contacts with responsibility for the facilities within the given radial parameters.
3. Staff: in order to maintain a constant state of vigilance, technology can only take us so far. Having staff maintaining watch of crisis monitoring systems is another critical component to the overall solution. These staff members should be training in emergency management ‘best practices’ and protocols. One of the challenges that face large enterprise organizations is the need to keep these types of monitoring
centers staffed around the clock. For many firms, this is cost prohibitive. When highest level threat triggers are initiated, trained staff must be there to notify your emergency management personnel. These critical personnel should be able to be contacted via multiple communication devices using a ‘hunting’ technique, offered by leading emergency notification solutions, to provide the optimal probability for connection.
Summary
As the number and complexity of risk events continues to expand, the task of maintaining a safe corporate environment becomes increasing difficult. Risk managers are responsible for devising mitigation strategies to seemingly endless potential risk events that could affect their corporate assets, data and staff. This daunting challenge has led risk managers and executives to seek innovative strategies to stay ahead of the risk ‘curve’. Crisis monitoring has become an essential part of many organizations' enterprise risk management strategy. The ability to maintain constant vigilance over local, regional, national and global threat activity not only makes logical sense, but helps to bolster the confidence of executives and auditors alike. The challenge of data capture and aggregation, as well as the costs associated with building and maintaining a 7x24 command center, has made outsourcing this critical task a smart business decision for many firms. The outsourcing of crisis monitoring activities to a firm specializing in this service will allow companies to offset the cost of infrastructure and staffing, as well gain from the economies-of-scale that a crisis monitoring firm can provide.
About the author:
Steve Burns is a seasoned 20-year veteran of the crisis management field. As the co-founder and president of EverGreen Data Continuity, Inc. Steve has overseen successful recoveries of hundreds of clients during actual crisis events. EverGreen Data Continuity, Inc. is a solutions firm specializing in crisis management and emergency management. http://www.evergreen-data.com
•Date: 10th January 2008• Region: US/World •Type: Article •Topic: Crisis management
Rate this article or make a comment - click here |
