2018 Prediction Webinar: Bonus Q+A
DRI’s first webinar of the year, “Trends and Predictions from DRI’s Future Vision Committee: How to Prepare for 2018,” generated a series of interesting questions from attendees, which Future Vision Committee Chair Lyndon Bird, along with DRI Healthcare Commitee Chair Mike Mastrangelo were pleased to answer in this special Q&A post.
Q: Of larger manufacturing companies, do you envision more implementing Business Continuity Planning or taking a passive approach?
Lyndon Bird: Many large manufacturing companies do adopt the principles of BCP without necessarily using that terminology. Often, they only use the term BC for their IT and administrative processes. As we move towards wider acceptance of the holistic nature of resilience, it should become clearer that the resilience principles put in place for manufacturing processes and those for administration need to be coherent and consistent across the enterprise.
Q: How can we enforce and actually test DR requirements in a 3rd party/cloud hosting situation?
LB: It is important that before contracting for such services that proper dialog takes place between yourselves and your service provider. The outcome of such conversations needs to be formalized in contracts and within associated SLA’s. Penalties for failure need to be commensurate with the potential losses incurred as determined by your BIA process. As part of the contract you can determine test conditions that you require including vendor full participation in your exercise program if necessary. At least you need to formulate what testing and exercising you wish then to do, the way such programs need to be reported back to you and inclusion in your internal audit schedules.
Q: How can one prepare for systematic risks, such as government turmoil, domestically and internationally?
LB: You are not responsible for systemic risks of the scale you mention and you can do nothing to prevent them occurring. You can, however, make a realistic evaluation of the operational impacts such scenarios would have on your business. I suggest you do this as a high-level strategic BIA, together with your top management. Your role is to find appropriate solutions that would at least reduce the impact (should such risks become reality) on your key activities. How successful you can be will vary, of course, on the nature of the risk and your inherent capacity for resilience. A global business is likely to have more strategies open to it than a small local firm – but with creative discussion between BC and operational management it is surprising how many mitigation measures you might find.
Q: What do the tea leaves say on emerging trends and threats in cyber resilience?
LB: Cyber has to stop being viewed as a risk in itself. Cyber is a tool for good or evil (like a weapon or a vehicle) and what needs to be managed is the consequence of that tool being misused. Top management are acutely aware of the damage a cyber-attack can do and their reaction is often to demand 100% security. Understanding that this is not possible and that more needs to be spent on response planning is gaining acceptance. What do we do if a breach happens and our data is stolen or compromised or how do we react to a ransomware attack requires more than a technical response. It needs full integration with the corporate crisis response program and often BC/DR professionals have the skills to bridge the divide between technical and business management.
Q: How might GDPR impact business continuity?
LB: It depends on what you consider business continuity encompasses. GDPR is essentially a large-scale compliance issue with potentially higher penalties and more reputational risk than was previously the case. Does BC have any role in compliance? No not in enforcing it or delivering it – that is clearly an executive management responsibility. However, the enhanced systems needed to both comply and “prove” compliance will be more complex and have a much higher priority than before. BIA’s will need to be updated, backup and recovery processes will need to be smarter and tests more challenging and frequent. So yes, on balance I do think it will have an impact on BC professionals.
Q: What trends do you see that will impact on healthcare providers/hospitals and how can we best prepare for them? (i.e. ransomware, climate change, terrorist events, pandemics, etc.)
LB: Pretty much everything that has been mentioned. Healthcare is one of the most vulnerable services, holding masses of confidential data with less resource or expertise to protect it than say IT or finance. Together with retail, health-care gives cyber criminals a great opportunity for fraud, theft or ransom with a reasonable chance of success and very good rewards. It is possible than terrorist could target hospitals and we could suffer a wide-scale pandemic – but these are conventional threats and we have (or should have) comprehensive plans to deal with them.
Mike Mastrangelo: All of our preparedness efforts will take place in the context of increasing economic pressures given:
So emergency preparedness, continuity and IT disaster recovery programs may have to address more complex threats with budgets that remain constant – or are diminished.
Q: With the Assistant Secretary for Preparedness and Response (ASPR) reducing funds used for the Public Health Emergency (PHE) Hospital Preparedness Program (HPP), what insights do you have on the changing landscape of government funding and potential alternatives?
MM: States and hospitals themselves will have to pick up the slack. To give an example, here at the University of Texas Medical Branch at Galveston, we have not received HPP funding directly for several years. Instead the funding flows from ASPR through the state department of health to the Regional Trauma Advisory Council which spends the funds on the member hospitals’ behalf for such things as common training and exercises. In order to support my program last year, I applied for and received a National Security Network grant that allowed me to expand my chemical incident preparedness program and the community engagement aspects of that program. I wrote a grant application for my County for a FEMA counter-terrorism preparedness grant which the county received (one of 29 recipients in the country). They now have $977 thousand dollars to support a three-year risk assessment, planning, training, and exercise program. We will collaborate with them in that project. There are other opportunities for collaborative work with industry and other members of the private sector as well as public agencies. The key is to use your creativity and develop a reputation for successfully completing the project.
You can watch the entire presentation online here. Lyndon Bird, Chairman of DRI International’s Future Vision Committee, and Chloe Demrovsky, DRI President and CEO, discuss the findings of the Third Annual Global Risk and Resilience Trends and Predictions reports, and how your job will be impacted by world events – including supply chain disruption, extreme weather events, data protection, and more. And don’t forget to visit the DRI Resource Library to download the reports.