Risky Thinking
February 2014
Michael Z. Bell

Risky Thinking is a free newsletter providing essays, analysis, insights, and oddities related to Business Continuity, Disaster Recovery, and Risk Management.

To subscribe, visit: http://www.RiskyThinking.com/newsletter/

For more information and articles, visit the RiskyThinking website at

In This Issue
  • What you can do about the weather
  • Fixed Price Business Continuity Plan Review
  • News: Flooding, Windows XP support ends, London Risk Register, Target Hack
  • Risk Assessment Toolkit
  • Risk Assessment / BIA Seminar Dates and Locations
  • Administrivia, Subscribing and Unsubscribing

What you can do about the weather

The weather has made a lot of news this winter. Winter storms, gale force winds, flooded cities and landslides seem to be in every news broadcast. The case for climate change (resulting in more extreme weather - rather than it's gentler sounding cousin, global warming) has never been stronger. Some meteorologists are suggesting that due to climate change recent weather patterns are a better predictor of future weather patterns than older ones. This means that predictions made from historic data ("an event like this only occurs once in a hundred years") will not be a good guide to the frequency of future extreme weather events.

There's a very old joke about the weather: everybody complains about the weather, but nobody does anything about it.

But as a business continuity planner,  there are actually some concrete things you can do about it:

Choose where you are located

If you have a choice, consider possible weather hazards when locating a new project. Don't locate new projects where extremes of weather can be reasonably anticipated. Don't locate on historic flood plains, coastal areas, or other areas where extremes of weather are increasingly likely to be experienced. Also take into account possible transport problems due to blocked road, rail, or air links.

Review your insurance policies

Insurance companies have two ways of dealing with a major threat: charge a high premium for it, or exclude it from the policy. The competitive nature of the business makes excluding a threat to offer lower premiums a common tactic. Be particularly aware of this when considering flooding. There are several different types of flooding from an insurer's point of view. You might be covered for flooding caused by a burst pipe or a flash flood, but not covered if a nearby river breaks its banks or a seawall fails.

Plan for Low Staff Levels

Many weather situations make traffic difficult if not impossible. In addition, due to the wide area affected, employees may need to look after the own homes and families first.  Rather like a pandemic, you need to be prepared to work with substantially reduced staffing. To ensure that sufficient staff are available for critical functions, look into cross-training staff so that they can perform each other's jobs in an emergency.

Plan for Zero Staff Levels

If you are unfortunate enough to be located in an area which could be in the direct path of a major storm, consider what you will do if the local government issues a mandatory evacuation order.

Plan for Loss of Power

Be prepared for extended power outages due to wind, snow, or ice affecting power lines. If warranted keep a backup generator and a supply of fuel on hand. Ensure that the fuel is properly treated for long term storage, and that the backup generator is regularly tested. Keep in mind that additional fuel may be difficult to get in the event of a major storm.

Don't Keep Anything Important in the Basement

Don't keep irreplaceable or expensive items in the basement or on the ground floor of buildings where flooding is a possibility. Not many people want to work in a basement, so often basements are used for data centers, or for storage. Remember that this is the area most at risk if flooding occurs.

Anticipate an Extended Loss of Power if you are Flooded

Power (including backup power) will likely have to be cut from the flooded areas for safety reasons. It may take some time before areas are dried out and installations are inspected and tested before power can safely be reconnected. If power enters the building at a a location which may flood, anticipate a total loss of power to the building.

Buy Emergency Supplies Now

Keep sufficient emergency supplies (eg. salt for melting ice on pathways, plastic sheet, plywood for protecting windows, batteries, flashlights, etc.) on hand. When a weather event occurs, it typically affects a wide area. Since many companies and individuals are competing for resources, emergency supplies sell out fast. The best time to stock up on emergency supplies is therefore when they aren't needed, before any event is even in the forecast.

Further Reading:

New Jersey can't find any salt to buy

Floods set to become more common due to climate change (2012)

Will Climate Change Destroy New York City?

Impressive Daily Mail UK Storm Pictures

Fixed Price Continuity Plan Review

It's often difficult to see your Business Continuity / Disaster Recovery Plans from a different perspective. Is it realistic? Does it miss something obvious? An external pair of eyes can often see problems or solutions which you can't.

We offer an economic fixed price service to review your business continuity plan. We will review documentation, interview key staff, and prepare a confidential written report identifying the strengths and any weaknesses we can see in your current plan.

Contact us for further details.

News: Windows XP End of Support Tips

There's a lot of speculation about what will happen when Microsoft's support for Windows XP
ends on April 8th. What is certain is that there will be no more patches, so any security hole found
after that date won't be fixed. One suggestion is that malware writers might even be saving new exploits
until after support has ceased. It's unfortunately time-consuming and expensive to migrate Windows XP
to Windows 7 or Windows 8. New hardware will probably be required to support the needs of the new
operating system, new versions of other software packages may need to be purchased, and Microsoft doesn't provide an easy migration option if you didn't install Windows Vista. It's certainly a time to
consider whether a thin client with a web browser might be a viable replacement.

Recognising the problems that public sector organizations will face, the UK government has issued
a new guidance document to help organizations which can't migrate by the deadline mitigate the risks.
The advice is equally applicable to larger companies and non-profits located in any country.

Read UK Government Advice

News: Updated London Risk Register

Even if you aren't located in London, reading the risk register of a major city gives an interesting insight into the type of risks a major city faces and the strategies that can be adopted for dealing with those risks.

The risk register for London was updated last month. The only four risks in the "Very High" category are currently an influenza pandemic, severe inland flooding, flash flooding, and a major telecommunications failure. These rank higher than the more newsworthy risks of terrorist attacks and industrial disasters.

It's good to see these things published where anyone can review them, rather than have them treated as some major secret as some (embarrassed?) cities have done in the past.

Read the London Risk Register

News: Business Continuity Awareness Week

The Business Continuity Institute is promoting its annual business continuity awareness week from March 17 to March 21 this year. The theme is "Counting the Cost".

As part of their campaign for increased awareness, they are publishing blog entries and infographics which may be useful in raising awareness of business continuity within your company or organization.

I'm not sure why this week lasts only five days - perhaps they know something about March 22nd which we don't.

For more information

News: The Target Hack - What it Means to Your Company

Target Corp.'s point of sale system was compromised last year and up to 70 million customer's credit card details were stolen. The fallout from that data breach is continuing. The data breach was so large that it created difficulties for the supply of replacement credit cards - there was simply not enough  manufacturing capacity to create timely replacements for all the customer cards, and some banks had to spend a number of months before they could replace known compromised cards.

Brian Krebs has undertaken some excellent reporting of the case, and a link to one of his blog posts can be found below. Security systems are only as strong as their weakest link. In this case the weakest link involved the compromise of one of Target's suppliers who had legitimate access to Target's electronic data interchange system to submit invoices. They were compromised using a phishing email. (I find it impressive that the digital forensics has managed to follow the trail this far).

This is an important reminder for all companies: while your company may not process significant numbers of credit cards, you may still be the target of a hacker trying to infiltrate one of the companies you do business with. In a similar manner, if your web site is frequented by employees of a company being targeted, it also becomes a potential target for insertion of malware onto their employees' computers.

Read Krebs on the Target Breach

Risk Assessment Toolkit

Our Risk Assessment Toolkit is designed to assist you in creating and maintaining a Risk Register and Business Impact Analysis by modeling dependencies, simulating disruptions, and calculating potential losses. Please download an evaluation copy if you are interested in finding a better way to do these things.

Download Evaluation Copy

Seminar Dates and Locations

Our Business Impact Analysis / Risk Assessment training seminars have some updated dates and locations. We are also including a free copy of the Risk Assessment Toolkit (a US$795 value) with each seminar seat. Hopefully I will get a chance to meet you there.

Seminar Details:

Administrivia, Subscribing, and Unsubscribing

RISKY THINKING is a free newsletter providing essays, analysis, insights, and oddities related to Business Continuity, Disaster Recovery, and Risk Management. You can subscribe on the web at http://www.RiskyThinking.com/newsletter/.

Please feel free to forward RISKY THINKING to colleagues or friends who will find it valuable. You may reprint this newsletter providing it is reprinted in its entirety.