Does Each Department in your organization have one? Do any of the Critical Business Units have one? Does your entire Business Location have one? Does your Entire Organization have one?
If you have many business locations, ditto the aforementioned questions for each location.
Well, what about Midsize Businesses to Large Enterprises? Whether or not your country's federal and state governments mandate that they have a formal Disaster Recovery Plan, as is the case here in the US, only about 30-35% of these organizations actually conduct realistic yearly disaster recovery exercises. And, in many cases, these disaster recovery plans tend to be woefully out-of-date.
However, that being said, there is a difference between Continuity of Operations Plan and Disaster Recovery Plan. Some experts in the field contend that Disaster Recovery is a subset of Continuity of Operations, however, I beg to differ.
Difference Between Continuity of Operations Plan and Disaster Recovery Plan
In principle, a Continuity of Operations Plan is equivalent to what I call, "Living a Safe and Healthy Lifestyle." Which means, you do all the safe and healthy things that you need to do in order to make sure that you don't end up getting involved in a serious accident or getting sick; thence wind up going to the hospital for examination, medication, surgery or amputation - and convalescing. And should anything happen to you that is beyond your control, you have put in place processes, systems and people who are able to carry on in a smooth and seamless fashion during your absence or incapacitation as if nothing ever happened to you.
Thus, the question for every single organization should be: Regardless of what happens out there in the outside world that is beyond our control, how can our organization make sure that we can continue to operate without any sort of major interruption, if any?
Whereas a Disaster Recovery Plan is equivalent to what I call, "A Personal Guide to Best Doctors and Hospitals." It focuses on all the things that you need to do AFTER you get sick or involved in a serious accident; gives you a list of the best hospitals and doctors; and gives you an idea of how fast you can recuperate so you can go home and/or get back to work.
In that case, the question for every single organization is: Should a disaster occur, regardless as to whether or not it were beyond our control, how fast can we recover and get things back to normal?
Alignment of Team Members Mindset to Plan Mindset Is Essential
To wit, the Continuity of Operations Plan mindset takes a holistic approach to business operations and focuses on prevention and mitigation of interruption, and business continuity. As the old Ben Franklin saying goes, an ounce of prevention is worth a pound of cure. Whereas the Disaster Recovery Plan mindset focuses on the restoration of systems and services after a disaster.
Therefore, in order to achieve plan convergence, a prerequisite for effective plan implementation, it is critical that the Mindset of Team Members is properly aligned with each Plan Mindset. Otherwise, you will wind up with Continuity of Operations Plan team members trying to implement a Disaster Recovery Plan - and Disaster Recovery Plan team members trying to implement a Continuity of Operations Plan.
An Even Bigger Issue: Today's COOP Strategy Needs to Evolve
The problem with every single organization's Continuity of Operations Plan is that they are designed by "Brick and Mortar" Executives for "Brick and Mortar" Organizations that are in the midst of a World that is in the process of making a slow, albeit major and long overdue, transition to a World of Virtual Organizations: The New Virtual Organization World.
That means, your COOP strategy must also take into consideration the issues, threats and vulnerabilities that your organization faces in this "Virtual World" as well as the opportunities that this Virtual World makes available to your organization in order to mitigate, manage, or even inoculate your organization from these threats.
What are these threats and are they something new? Well, these are virtual, virtual infrastructure, physical infrastructure, environmental, technological, technical, financial, information, personnel safety, insider and governance threats to every single business unit as well as to the existence of your entire organization. These threats have been around and/or germinating since the beginning of the Web. What makes things so urgent today is the fact that their manifestation and effects are now in full bloom and radiating throughout both the virtual and "brick and mortar" landscape; there for all to see, feel and understand.
That means we can no longer pretend that these threats don't exist or that's something that we can put off for another day, week, month or year(s) while we deal with other more pressing issues, thinking "We'll Cross That Bridge When We Get There." We are all standing right there in front of that bridge and turning back is not an option.
Crippling Threats to GOVERNMENT and BUSINESS Infrastructures Worldwide
For Example, hacking today is no longer confined to nerdy kids looking for a thrill or claim to fame by launching DDOS (distributed denial of service) attacks or infecting your computer with viruses and trojans that slow down or crash your computer. Nor is it confined to the domain of run-of-the-mill criminals looking to make a quick buck.
Today, hacking has gotten so sophisticated that it is now used as a Hybrid Warfare tool by not only Governments (e.g., the recent attack on Venezuela's electric power grid which plunged the country into the dark ages and sent Healthcare and Healthcare System Providers and all other Critical Business and Government Infrastructures into a tailspin) but also by every single major criminal enterprise or terrorist organization in every single country around the world.
Even the most sophisticated intelligence agencies from the most powerful countries in the world are not immune from these threats.Moreover, during the years 2017 and 2018 alone, over 30 city and county governments in the United States reported being subject to Ransomware Attacks by criminal organizations which crippled their computer systems for lengths of time which ranged anywhere from a couple of days to a couple of months. Even local Police Departments and Schools throughout the world wound up paying ransom in order to get their systems back online.
You can just imagine the sheer number of city and county governments which opted not to report such attacks for public relations purposes.And the year 2019 promises to be a boon year for ransomware attacks by criminal organizations worldwide. From Lake City, Florida - $460,000 :: Riviera Beach, Florida - $600,000 :: Atlanta, Georgia :: Baltimore, Maryland :: Denver, Colorado :: Albany, New York :: Fisher County, Texas :: Genesee County, Michigan, etc. (Not even the FBI, CIA, NSA or any other law enforcement or intelligence agency in the world could help them.)
As for businesses, one major European company Norsk Hydro which refused to pay ransomware is reported to have incurred over USD $57 million in expenses in order to restore their systems. Even the CEO of JP Morgan Chase Jamie Dimon has admitted that their organization spends over USD $600 million a year in cybersecurity expenses in order to protect their systems from cyber threats.
Where do ALL these malicious hackers (nerdy kids, criminals, criminal enterprises, terrorist organizations, and intelligence agencies) reside? In a Virtual Environment....in the Cloud. Where does the heart of ALL of our Critical Infrastructure reside? In a Virtual Environment....in the Cloud. Where can ALL of our Critical Infrastructure be accessed? In a Virtual Environment.....in the Cloud and in a Brick and Mortar Environment. Where can the damage to ALL of our Critical Infrastructure be caused? In a Virtual Environment.....in the Cloud and in a Brick and Mortar Environment.
As the recent attacks on the power grids of Venezuela, Argentina, Uruguay, Ukraine and Russia clearly demonstrate, an attack on the heart of a Country's Critical Infrastructure is no longer the stuff of science fiction or just some hypothetical situation in case of a long predicted Armageddon by religious zealots. Nor is it confined to the domain of an EMP (electromagnetic pulse) attack due to nuclear explosions at high altitudes over a country; or a DEW (directed energy weapon) attack on a country's facilities; or a straight out Nuclear War. Nor is the likelihood of such attack nothing but Fear Mongering by a bunch of preppers trying to sell MRE's (meal ready to eat), guns and ammunition, and nicotine sticks.
This Is As Real As Real Can Get. The future is here.
Time to Take Off the Blinders
Every single malicious actor or nefarious organization (from nerdy kids to criminals, criminal enterprises, terrorist organizations, government intelligence agencies) who can wreak havoc on your organization in both a Virtual Environment and Brick and Mortar Environment resides in a Virtual Environment....in the Cloud. It's their home turf and this is where they are most comfortable and extremely agile. That means their presence and actions are not limited to a particular building location, geography, topography, region, or country. They live and breathe in a Virtual Environment .... in the Cloud.
They do not have to prepare Hacking Attack or Hybrid Warfare Plans to be stored away somewhere in the Cloud and to participate in quarterly or yearly drills in a Virtual Environment. The Virtual Environment is their home turf, this is where they live and breathe, instead of just a place where they have to prepare for and practice once or twice a year.
In light of the aforementioned, can you say the same thing about the Key People from Critical Business Units throughout your organization who are entrusted with the responsibility for - or have been delegated to implement plans relating to - Emergency Management, Disaster Recovery, and Business Continuity Of Operations?
The point being, when it comes to Business Continuity of Operations and Disaster Recovery, no amount of drills in a Virtual Environment, if any, can ever be enough in order to meet the critical challenges that your organization faces in today's Virtual World.
As well, this is NOT something that your organization can outsource to some other organization.And as much as I hate to be the bearer of bad news, this is no longer about your country's version of FEMA (Federal Emergency Management Agency), CDC (Centers for Disease Control and Prevention) or DHS (Department of Homeland Security) coming to the rescue in the event of Earthquakes, Catastrophic Floods, Hurricanes, Pandemics, or Acts of Terror. Nor is it about your existing Business Continuity of Operations Plan and Disaster Recovery Plan which are primarily designed for "Brick and Mortar" Executives in "Brick and Mortar" organizations.
Why is that, you might say? That's because ALL these agencies - including the FBI, CIA, NSA, and any other law enforcement or intelligence agency - which are themselves "Brick and Mortar" organizations run and staffed by "Brick and Mortar" executives and personnel, will NOT be immune or exempted from any All-Encompassing Attack on a Country's Critical Infrastructure. You will all be in the same boat!
Their only option (these alphabet government agencies) will be to seek refuge in these DUMB's (Deep Underground Military Bases) in the West and other parts of the world that are completely disconnected from the power grid we all depend on.
That means your business, organization, institution or city will be left to fend for itself in any sort of worst-case scenario. Ask the mayors of the cities of Baltimore, Maryland and Atlanta, Georgia what I mean by that.Imperative Need For A Virtual Organization COOP Strategy: A Virtual Organization COOP Force
Hence the need for you to also develop a Virtual Organization COOP Strategy for your very own organization.
A strategy which requires the building of a Virtual Organization COOP Force for your very own business, organization, institution, city and country. Such force will consist of Key People From ALL Departments and Critical Business Units throughout your organization who will also live and breathe in a 100% Virtual Organization Environment.
A new breed of Virtual Organization Leaders who have been highly trained in all aspects of how to function, operate, thrive, excel, manage and LEAD in both a "Virtual" and "Virtual Organization" Environment in accordance with the virtual organization management discipline pioneered by its founder since 1997 (see Virtual Organization Leadership Executive Training, Assessment and Certification for Midsize and Large Enterprises).
VOMI (Virtual Organization Management Institute), in partnership with Virtual Organization Leadership and VOMI Virtual Organization Academy, is the ONLY organization in the world which offers - and is qualified to offer - such virtual organization leadership training and certification.That means, these individuals must be recruited from ALL existing Departments and Critical Business Units throughout your organization. Initially, they don't have to be nor are they required to have any existing IT or cybersecurity background in order to be selected.
Ideally, though not a requirement, their training will begin at the same time so that they will all gain first-hand virtual organization leadership experience collaborating with each other so that, when they return back to their organization upon completion of their training, they will at least have a solid foundation of virtual organization leadership and collaboration experience that they can build upon.
Upon completion of their initial Virtual Organization Leadership Executive Training, Assessment and Certification, they will then be assigned to your organization's newly created Virtual Organization COOP Force; at which point they will begin to receive extensive and continuous IT and cybersecurity training throughout the entire length of their tenure on the force.
This Virtual Organization COOP Force must be a Microcosm of your entire "brick and mortar" organization. It must operate in parallel with your organization instead of being just an appendage or extension of an existing department or business unit. Its hierarchy must be completely independent of the brick and mortar hierarchy. Its entire Virtual Organization Infrastructure must be completely disconnected (not just firewalled) from your organization's "brick and mortar" infrastructure; yet, it must have the capability to tap into your organization's infrastructure in a one-way fashion so that it can both monitor and access it at anytime whenever the need arises.
The reason is simple: Regardless of what happens to your "brick and mortar" organization's virtual or Cloud infrastructure, your Virtual Organization COOP Force's Infrastructure will not be affected and its Daily Activities can continue unimpeded. That is what I call "Real" Business Continuity Of Operations. As well, this will allow your organization time to implement its existing "brick and mortar" Emergency Management Plan.
Confidentiality Is a Must. The list of personnel assigned to this Virtual Organization COOP Force must NOT be made public to all personnel throughout your organization. Only Individuals Who Have a Need to Know their doppelganger or a specific member(s) of the COOP Force can have access to the identity of such member(s). As well, the name of the Leader of this COOP Force must NOT be publicly listed in the public directory listing of the organization as well as in any Hierarchical Organizational Chart of either the COOP Force or the brick and mortar organization.
Why is that, you might say? The point being, why advertise to the world that you have an impregnable and impenetrable fortress? That's an open invitation to everyone to try to storm your fortress and prove you wrong. As well, you want to avoid altogether or, at the very least, substantially mitigate the effects of any sort of attempts to conduct widespread, highly coordinated, sophisticated and extensive infrastructure attacks and Human Compromise Operations on your organization's "brick and mortar" and virtual organization infrastructures and associated personnel.
To Whom Should The Head of the Virtual Organization COOP Force Report To?
Yikes! I knew that question was coming. Thus the reason why I decided to provide an adequate response which should soothe everybody's nerves as well as please all the primary stakeholders and powers-that-be within your organization.
Let's face it, regardless of the type, size and structure of an organization or business unit, silos of interest and turf wars are a fact of life in the corporate world - as well as in government; thus can be expected.
However, that being said, the individual who gets to occupy this position, whatever you want to call it - for discussion purposes, let's call it, "Chief, Virtual Organization COOP Force" - is unique in so many aspects that s/he can ill afford to participate in company politics or get drawn into turf battles and internecine wars which can only have a detrimental effect on the purpose and mission of the Virtual Organization COOP Force. Here are the reasons why:
First and foremost, the composition of this COOP Force is drawn from every single department and Critical Business Unit throughout your entire "brick and mortar" organization.
That means, imaginary COOP Force member, Senior Financial Analyst Jack Suleiman, who was recruited from the "brick and mortar" Finance Department must be able to continue to cooperate and maintain cordial relations with his former colleagues as well as serve as a focal point of contact between the COOP Force and such department. Ditto for all other members of the COOP Force.
The net effect of such COOP Force composition means that the Chief, Virtual Organization COOP Force gets to establish on a daily basis, either personally or through his staff, an excellent rapport and strong relationships with each and every major Department and Critical Business Unit throughout your organization. That means s/he gets to represent and advocate on behalf of ALL silos and turfs throughout your organization; thence doesn't have a dog in anybody's fight.
As well, due to the sensitivity, tremendous power, responsibility and influence of this position, s/he cannot afford to either be, or be perceived as being, beholden to any single individual, department or business unit throughout the entire organization.
Therefore, I can now answer your question: S/He should only report to a Virtual Organization Infrastructure Protection and Security Committee of the Board of Directors, consisting of a minimum of three (3) members - one of whom must be the current Head of Emergency Management and the Heads of two other Most Critical Business Units in the organization.
This appointment must be approved and ratified by the Search Committee of the Board of Directors. However, this person's removal (not appointment) from that position must be by unanimous vote from ALL the members of the Virtual Organization Infrastructure Protection and Security Committee. The Chairman of the Board of Directors must specifically be restricted from membership on these two committees. These checks and balances are a must in order for the Virtual Organization COOP Force to fulfill its mandate free from internal or external interference or any sort of human compromise operations.
For the sake of brevity (you can laugh a little), many details regarding the implementation of such Virtual Organization COOP Force for Midsize and Large Enterprises have been omitted from this document. Nonetheless, I hope I was able to convey its essence and the urgency of now for concrete action (see Virtual Organization Leadership Executive Training, Assessment and Certification for Midsize and Large Enterprises).
As well, the foregoing information also applies to a tremendous number of Innovation-Focused Startups and many other small businesses who could benefit from this strategy, albeit on a much smaller scale (see Virtual Organization Leadership Executive Training, Assessment and Certification for Small Businesses).
A very strong case can also be made for many City, County, State, Provincial, and Federal Governments worldwide (see Virtual Organization Leadership Executive Training, Assessment and Certification for Governments).
Let Us Manifest!
Related Article: Antidote to Ransomware Attacks: A Virtual Organization COOP Force