Business Continuity Planning: The Case for Resource AllocationInterview With Crime/Security Expert Dana Turner
In this exclusive interview, crime and information security expert Dana Turner offers insights on:
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is business continuity planning, specifically in resource allocation, and I am talking with crime and information security specialist, Dana Turner. Dana thanks so much for joining me today.
DANA TURNER: Well Tom, thanks for the invitation, I appreciate that.
FIELD: Dana, tell me a little bit about resource allocation. When you talk about that, what exactly do you mean?
TURNER: Well, resource allocation typically is one you have to have to know what you have to work with in the way of the people, places and things within your own organization. After you can determine what you have to work with, then you begin applying the people, places and things analogy appropriately within your own organization, but you first of all again have to know what you have to work with.
Second you have got to have some kind of a strategic and tactical plan to be able to apply them. You have limited or finite resources within the organization, and you are going to have to spend them to recover from a disaster, you are going to have to do that appropriately; so hopefully again, a strategic and tactical approach.
FIELD: Now, Dana, you have told me in the past that this is one of the most overlooked aspects, the business continuity planning, why is that? It seems to be so fundamental.
TURNER: Most organizations are appropriately obviously concerned with the regulatory environment, what the examiners are going to want and making certain that they live up to certain rules and regulations -- not only the federal kind, but the state kind as well -- and in doing so we often overlook this aspect of the resource allocation. What the most overlooked one that I've run into is the training. I mean, there is an annual training requirement that every person who works for the organization has to go through, but most organizations will skip this part about the training, and what we really need are everyday and extraordinary types of training events to occur, hopefully across all platforms. And after we do that across all platforms, we do the job specific types of training as well for any of the business units within the organization, and it has got to be organization wide.
The risk assessment also needs to be shared by all managers and an appropriate risk assessment based upon your geography, your weather conditions, your mechanical aspect of your organization, your facilities, emergency services ability to be able to respond. Risk assessments are typically done by one or two people on a business continuity team. They actually need to be done by each of the business unit managers in a job-specific type of format. And then of course we couple that with a desktop exercise, which are also frequently, if not ignored, not done well. So, we will talk more about that in your questions later on, Tom.
FIELD: Well, that is a good point; are there unique challenges for institutions based upon their size?
TURNER: Certainly, and if you work for a small independent organization that has got 25 employees that has a main office, that has the typical foundation requirements of the financial institutions, only administration, retail operations and lending, it makes your life a lot simpler. The fewer moving parts involved, the less planning, or the less application that you are going to have to do. The planning remains the same. It is pretty simple.
But when you work for a larger organization ... the larger and more complicated you get, the more moving parts, and then you experience many more unique challenges than you normally would.
Also what is often ignored by most organizations is the geographical distribution of the branches or loan processing offices or administration because geography plays a large part in your resource allocation as well.
FIELD: Now how about the type of disaster? Are there unique challenges based on the type of disaster?
TURNER: Certainly. We have three primary types of disasters. We have the national or cataclysmic kind, the human-inspired or human-caused disasters and the technological ones. And the unique challenges, natural ones, most people are overwhelmed. Think shock and awe from the war language. Most people are overwhelmed by the natural disasters. The sheer power of a hurricane or cyclone or a tidal wave or anything else like that, that is beyond most people's experience. The response to those kinds of events becomes unique because they are dependent upon the scale of the disaster.
When you look at the human-caused events, these are the most emotional and the longest lasting. Now, natural disasters have a distinct emotional component as well, but the human-caused disasters become very personal, much more so than just on the corporate side, but become very personal not only for employees and customers, but their families and other members of the community as well.
The technological variety of disasters, what is unique so much about those is the interdependencies between the information systems and the remainder of the organization and all of those other business units that become very dependent upon information systems in order to be able to operate and to afford services to customers.
FIELD: Dana you've got a webinar coming up on this topic of resource allocation. What to you are going to be the main take aways of this session for the registrants?
TURNER: Well, hopefully participants in this particular presentation will walk away with a solid foundation, a strategic and tactical approach to not only putting the plan together but to recover the organization in the shortest amount of time and the most complete fashion and losing the least amount of time, energy and resources.
Also included in the packet besides the workbook text and the PowerPoint I have included a variety of hypothetical problem- solving situations that institutions around the country have had to experience and deal with. They are all from real life and they can be used as training scenarios later on.
Also within the workbook material is a checklist of all the foundation issues that you can match up against your own organization and determine have you really complied not only with regulations, but with sound planning practices, and then also a leaders guide and a training outline so that your managers and supervisors may take the information in your plan and be able to apply it directly into the organization without having to bring in outside trainers.
FIELD: Very good. Now, Dana you spend a lot of time with the financial institutions, I know. You spend a great deal of your time going around the country and visiting with them. Based upon what you have seen, and your knowledge of resource allocation, if you could sort of boil down to one piece of advice you want to give people on the topic, what would that be?
TURNER: Oh certainly, that one is an easy one, Tom. Always please underestimate your own resources. The things you think you are going to have available are not going to be available, or they will be impaired along the way. History has taught us this. So not only underestimate your own resources, but also overestimate the types and scale of the disasters that you are planning for. If you plan for a hurricane level one and it becomes a hurricane level four, you are going to be playing catch up. Plan instead for the higher level of disaster along the way. In other words, you are never going to have to enough resources to be able to recover successfully in a single day after a disaster.
FIELD: Well said. Dana. I appreciate your time and your insights today.
TURNER: Tom, I appreciate the courtesy, and you are welcome.
FIELD: We've been talking with Dana Turner. He's got a new webinar coming up for us on business continuity planning and resource allocation. I should also mention he has also previously done a webinar for us on pandemic planning. For Information Security Media Group, I'm Tom Field. Thank you very much.