February 27, 2025 • 23 mins
How prepared is your organization for disruption?
In our latest episode, we dive deep into the critical topic of Business Continuity Planning (BCP) with cybersecurity expert and new Reveal Risk Director Todd Wilkinson.
As digital dependencies grow, the way companies approach BCP must evolve. Todd highlights the shift in ownership from IT departments to business leaders, shedding light on the necessity for everyone in the organization to take accountability for continuity strategies.
Drawing from his wealth of experience, Todd recounts compelling stories of real-world failures and the stark realities of service disruptions, particularly in the healthcare sector. He explains how reliance on SaaS and cloud services has transformed the landscape of planning, creating both opportunities and vulnerabilities.
Listeners will gain valuable insights into best practices for establishing effective BCP protocols, including the vital distinction between BCP and disaster recovery planning. We tackle the importance of clear communication strategies during crises, the need for frequent testing, and the changing roles of different departments when it comes to continuity planning.
Engaging and informative, this episode encourages organizations to rethink BCP as a crucial aspect of operational resilience rather than just a checklist for IT departments.
Subscribe, share, and let us know how your organization is preparing for unexpected challenges or if you need help along the way!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Oh, simplifying Cyber .
Sorry, I need a post-it notefor that.
Thanks for tuning in toSimplifying Cyber.
I'm Aaron Pritz, and standingin for Cody Rivers today and
actually standing sitting in hisoffice we have Todd Wilkinson.
So Todd was on season one ofthe show, I think, maybe three
(00:24):
years ago.
It's been a while Worked atElanco Animal Health and
actually by the time this ispublic, I think we will have
revealed that Todd Wilkinson hasjoined as a cybersecurity
consulting director atRevealRisk to go help others do
some amazing things like he'sdone prior.
So welcome to the show, todd.
Welcome back to the show.
Speaker 2 (00:44):
Thank you.
Thank you, it's Todd.
Welcome back to the show.
Thank you.
Speaker 1 (00:47):
Thank you, it's good to be here in a different room.
Absolutely Well, today wewanted to jump right into a hot
topic, and it's one that if youwould have asked me 20 years ago
because it was still a thingthen, if it would have been a
hot topic I would have laughedall of us, including myself, out
of the room.
So that topic is businesscontinuity planning and BCP.
Disaster recovery planning andincident response has always had
(01:10):
a role in cybersecurity, atleast adjacent.
But I think what's changed orwhat I've started to notice that
, todd, I want to really dive inwith you and your experience is
BCP is being talked, owned andactioned very differently than
what I experienced as an auditorat a Fortune 500 company where
(01:32):
I would write BCP findingsAffiliate doesn't have BCP and
it would be handed to the ITdirector of that location and
then they would have to figureit out.
And I think that never worked.
It felt misplaced and somecompanies felt like BCP was a
second version of a disasterrecovery plan.
(01:53):
But I always saw it as I thinkwhat it's starting to kind of
re-evolve back into, as it'sactually a business continuity
plan owned by the business tooperate the business if IT
didn't exist.
So, todd, I'm going to justpause there kind of.
Let you kind of give someopening comments about what
you're seeing here.
Speaker 2 (02:12):
Yeah, no, no.
And again, thanks for theintroduction and happy to be
here again.
Yeah, a couple things arechanging that just from 10 years
ago and we used to have a lotof BCP conversations.
Number one the introduction ofSaaS as really a key component
of driving many companies, andthat includes manufacturing
facilities as well.
A lot of manufacturingfacilities used to have
(02:32):
everything on-prem, more andmore moving them to the cloud.
So SaaS is changing thatlandscape.
Certainly, disaster recovery isstill a key piece of that and
how IT executes that, but thebusiness driving BCP, I find, is
a much more effectiveconversation for companies to
really think through what itmeans, because it might be okay
to say, hey, let the system bedown for a week or two, we're
(02:53):
okay with that and we've gotother ways we can navigate the
problems that are out there.
Speaker 1 (02:57):
That's when the really cool office parties
happen.
Like systems are down.
Let's have a good afternoon,yeah, yeah.
It doesn't always work that way, but that's how I like to
envision it sometimes.
Speaker 2 (03:07):
Everybody go home.
We're down for the afternoon,so that's one of the changes
that is occurring.
Speaker 1 (03:12):
And two, the reliance on IT system is much, much,
much bigger than it was a decadeago, so the context of how we
think about it needs to startchanging.
Yeah, the other thing that we doa lot of work in healthcare and
pharmaceutical industry andpayer health insurance.
Obviously I spend a lot of timeon the corporate side in
pharmaceutical, so I have a lotof passion for this industry.
(03:36):
But with the recent incidents, Imean I would say in the last
five years, but specificallywith Change Health, I think that
really rocked the healthcareindustry in that so many
companies were completely notable to operate because they
couldn't do payroll and I thinkI heard the stats that a third
of all US healthcare companiesrelied on that one company and
(03:58):
the one system that they operateto pay between physicians and
distribute products frompharmacies and things like that.
If you think about that andTodd your point of like a
business relying on a systemobviously moving money and
controlled by IT and overnightjobs and all that stuff, that is
critical, and if that's notthere, I don't think a lot of
(04:18):
entities were even thinkingabout like a payment system or
whatnot.
So what have you seen in thatspace and I guess within kind of
having been in life sciencesand human health, what do you
see from that perspective aslike kind of what's changing
about this?
Speaker 2 (04:33):
Yeah Well, let me introduce a personal story just
in the change healthcare.
This all happened within a48-hour window for me.
I'd kind of heard about changehealthcare, what was happening
with that, but I hadn't quitehonestly, I hadn't really been
paying attention to the detailsof the impact.
I'm standing in line in mypharmacy and there were three
little old ladies in front of meand I watched them one by one
(04:56):
walk up, try to get theirmedication.
They were told hey, this isreally expensive.
Your insurance isn't availableright now.
You either have to pay cash andit was a very large number for
all of them or you just have tonot get this right now.
And I watched all three of themessentially turn around and say
, well, I guess I won't get itright now and disappear.
And that was impactful, justkind of watching that, and I'll
(05:19):
come back to that point.
And then my eye doctor.
I was in there, I just happenedto ask the question is this
impacting you?
And he's like yep, 70% of myrevenue has been gone for the
last six weeks.
The full 70%, that's a hugelyimpactful number for a small
business to just havedisappeared.
So those are the two things Iwitnessed, just on the ground, I
(05:40):
think, to your question, one ofthe things that I think is key
to a BCP plan that can help withsome of these scenarios.
Because what is different?
A SaaS system is going to godown.
It's done, it's down.
Your IT teams might be able tohelp get that back online, but a
key piece of that is justknowing, hey, when this is down,
what am I going to tell people?
(06:01):
What is my actual instructionsof what they're supposed to do?
Should I tell them to wait?
Should I tell them to call adifferent number?
Having thought out that portionof the conversation can really
help quell a lot of concerns orjust confusion in the
marketplace, and then also yourown teams internally can know
this is what we're tellingpeople, this is what I expect to
(06:22):
do, and having thought thatcomms plan through ahead of time
, I think can be huge.
And if nothing else, and justin case of change, healthcare
hey, I might need to just not goto the pharmacy for a few days
or wait a week and try againlater.
There's something along thatlines.
But that's not normal, I think,historically as part of BCP
plans, because they're sofocused on internal
communications who do I call?
(06:44):
Where's my information storedat how long is it going to take
to recover, and so there's thatconnection to the public.
I think that's impactful.
Speaker 1 (06:51):
Yep so on.
You kind of referring to thingsthat could be in the plan.
What's your perspective onseparating business continuity
plan from disaster recovery?
And then I kind of also want tomaybe edge in the question of
the shift of ownership from IT,so kind of what have you seen,
what are you seeing right now,and where do you see plans and
how they're structured and ownedgoing forward?
Speaker 2 (07:13):
Yeah, well, I've sat through a number and it's
sometimes DR and BCP plans getthrown together and I think
functionally that DR plan is howdo I rebuild a system, what's
that tactical plan to bringthings back online and what that
actual functional plan is Like?
My stuff's gone, I know how torebuild it and where is it at.
That I believe really shouldstay within the realm of IT or
(07:35):
information security, dependingwho runs that.
I think that's a clear line ofownership.
The BCP plan is more function.
How do I just keep thingsrunning in the meantime?
Back to that communicationstrategy.
Do I need a phone?
Do I go to paper processes?
That's the content.
How do I keep people safe andhealthy?
So it's almost a personnel planand a commercial plan versus
the behind the scenes nuts andbolts we have in a DR how to
(07:58):
actually physically restore asystem or bring operations back
up and running.
Speaker 1 (08:02):
Yeah, great point, Todd.
You've spent a lot of time inlife sciences manufacturing.
I think.
For me, business continuityplanning is an easier concept
for manufacturing becauseavailability and uptime is
everything, so they naturallyget like we need to plan for
when we can't do that and westill need to get product out.
(08:22):
How is that different in someof the other business functions
that maybe have less of that keydriver?
How have you seen change or howdo you get them as motivated as
maybe some of the organicinterest from manufacturing?
Speaker 2 (08:36):
Yeah yeah.
Manufacturing kind of has aneasier story and a harder story
at the same time.
There, right, you get yourcommercial.
Let's take an example of aproduct I'm selling to customers
.
That one's a clear line in thesand.
I think you can make a decisionof hey, I can have a fast
acting BCP plan to keep thebusiness running, but it's going
to take this amount of dollarsto invest.
And it becomes an easierconversation if you know I've
(08:59):
got to invest this much money orthis many people resources to
have a fast-acting BCP plan.
Or it might be okay and this isokay in some cases hey, we're
going to be down for a week ortwo.
My building is gone, it caughtfire, the roof has fallen and
whatever it might be, the datacenter has gone down.
Or my key SaaS provider hasjust gone out of business and I
(09:19):
don't know when they're comingonline.
It might be okay to say, hey,we know what's going to happen,
we know how to communicate tothose people.
Let's just go ahead and tellpeople this service is out for a
week.
A lot of people might be okaywith that If you tell them it's
probably a week versus I'm goingto have completely redundant
systems across the boardpractice to the 18th degree.
On the flip side of that, itmight be no, we really can't be
(09:42):
down.
I need to have a backup planand I might need to be prepared
to bring in a second SaaSprovider or somebody alternative
.
I can kind of get things going,at least in a basic sense.
It's that conversation up frontof going.
When it really gets down to it,how long is okay?
Speaker 1 (09:57):
Right, yeah, kind of the business impact analysis or
assessment to kind of understandpriority and all that classic
concept but really making surethat that pulls through and how
you're implementing the plans.
You mentioned software as aservice or SaaS.
How does kind of data and theuser interface pushing out to
SaaS and less being on-prem andthe introduction of artificial
(10:20):
intelligence kind ofre-complicating that already
complicated situation?
How does the tech landscapeshift affect BCP and how you
might approach?
Speaker 2 (10:29):
it.
I think there's probably kindof two angles to that if you
throw AI into it a little bit.
One just the generic SaaSprovider.
I'm not sure if I say more andmore are behaving this way, but
certainly we've seen SaaSproviders hey, we're down for
the day, or we're down for anhour, or we're just down.
I don't know when we're goingto be back up.
It might be five minutes, itmight be three days or longer.
(10:50):
I think change healthcare was agood example of something that
was way longer than anybodyanticipated.
That had huge ramificationsacross the country.
But you're going to see, Ithink on that side of the house
it's just how long is long.
On the AI side of the house,what I am seeing is the rate of
(11:11):
pace of change that they'redelivering.
They're throwing new models out,they're putting updated models
out there and what you find is Imay not shut down my business,
but all of a sudden, those AImodels you don't necessarily
have the time to do fullregression testing, especially
if you're consuming a serviceand all of a sudden your answers
may be different than what theywere last week and you may have
(11:33):
to temporarily shut yourselfdown, going hey, I need to take
this portion of the serviceoffline, or it may have done it
for us because the interfacechanged.
So anticipating, I think, moreoften but maybe shorter
disruptions in business isprobably the right way to think
about that, just given howquickly things are changing.
And again back to hey, we needto tell people we're down for a
(11:54):
little bit and if you cancommunicate to them quickly and
effectively, what I've foundmost people are like yeah, okay,
I can live with that for awhile.
I'll come back later.
It's the, I don't know thatit's down or nobody's telling me
it's down.
Speaker 1 (12:08):
I'm just going to get frustrated and keep trying
Great point.
Let's talk about the differentlevels of business continuity
planning, and I'll go back toanother audit story Again.
I did a lot of vendor auditswhen I was in corporate audit.
Kind of interesting because youget to go outside of the walls
of your own company and look atothers.
But when you think aboutbusiness continuity planning and
you ask a company or adepartment, do you have a BCP?
(12:29):
A lot of times yes, and here itis, and sometimes it's like
here's our master plan and thenhere's functional area level
plans.
Give me your thoughts on, Ithink, there's the enterprise
BCP and then functional areabusiness continuity plans.
In your experience, todd, haveyou seen that full ecosystem of
top level and then local level,or do most stop at the top level
(12:49):
and then the local areas reallynever institute their
actionable plans that they canuse in a crisis?
Speaker 2 (12:56):
Yeah, Well, I guess the short answer is I've seen
them all across the gamut atmultiple different companies.
Usually those high-level onesare just that They've got a
basic comms plan who's in chargeof putting together the comm
plans, and that's the end of it.
And then you get to thosefunctional areas or facility
plans, but my favorite one thatis in there it says here's who
(13:16):
you call, and then also call ITto bring everything back up.
And I think that's the onethat's challenging, because if
we're really calling for a BCPplan and we're going to have to
execute a building's caught onfire, the network's out,
tornadoes rip through your area,there's a flood, IT's busy.
Assume they're down.
Yeah, Assume they're gone for awhile.
(13:39):
So figure out something else.
That's sometimes a helpfulquestion to ask when you're
trying.
So figure out something else.
That's sometimes a helpfulquestion to ask when you're
trying to figure out those plans.
Speaker 1 (13:46):
Yeah, now recently I've helped some organizations
build them, actually inhealthcare as well.
And one interesting thing ispeople always assume tribal
knowledge of like we would knowwhat.
It's kind of like that falseconfidence like we would know
what to do if it was down.
We've got a lot of expertise,we'd figure it out.
But then for the organizationsthat have gotten into planning
you start to whiteboard theirbusiness process.
(14:08):
And a couple observations I'vehad is sometimes they can't draw
it on a board.
And if you can't draw it on aboard in a non-crisis, you're
not going to be able toarticulate it or draw it on
whatever you have in the crisisto even make sure you've got the
right people on the right basis.
And then I think the otherthing is kind of when we get
into testing the BCP, that's alot of times like people assume
like, oh, we'll use thatspreadsheet.
(14:29):
Well, sharepoint's down, didyou have a backup somewhere?
So I think really thinking likethinking through your process,
defining who's supposed to dowhat when without IT, and then
testing it to make sure that allthose assumptions that you
thought would work until youdidn't realize the actual impact
would destroy your plan, thoseare the kind of the big ahas
that I think we see a lot ofcompanies having as they
(14:50):
progress on this.
Speaker 2 (14:52):
Yeah, well, I would say the other one.
You may have somebody thatcould whiteboard that, but when
a disaster hits, the person thathad the plan is also on
vacation.
Yeah, absolutely.
We hear those stories that theone person that had it, he's
just unavailable.
Yeah, that's common as well.
Speaker 1 (15:06):
If you didn't write it down, it doesn't exist.
Speaker 2 (15:08):
It doesn't write it down.
So I am a fan.
Not everybody needs to be fullytrained up, but at least a
couple people that have anawareness of where things are at
, where to get them.
Do I have a backup copy of yourinformation as well?
Because, to your point, if it'sa big disaster, you might have
trouble getting to where theinformation is at, or it's in
the vault and it's in the bottomof rubble, or it floated away,
(15:30):
whatever it might be.
Weather patterns are changing,we have a lot of facilities.
Hey, the roofs are collapsingin or those fires.
I remember years and years agowe had a key network connection
that was down and I'm on thephone trying to get the telco
provider to bring this thingback online and how to test it.
And, like Todd, really we havea fire here.
We can't deal with you rightnow.
I'm like no, I understandyou're busy and this went on for
(15:51):
a good back and forth for, Ithink, 90 seconds.
I was not paying attention.
Like Todd, you don't understand.
The actual telco provider isburning.
I can send you a picture, butit's not coming back up on any
anytime soon.
Okay, I need to have adifferent plan.
This one is clearly not working.
Speaker 1 (16:08):
Yeah, awesome.
Let's talk about the questionof maybe for the organizations
that don't have robust or anybusiness continuity plans.
Where do you start?
What kind of opposition arekind of new leaders that are
going down this path up against,and how would you coach a
newbie, if you will, to havesome success, given we've all
(16:31):
kind of had our fits and startswith these types of initiatives.
Speaker 2 (16:35):
So I think, take disaster recovery out of the
conversation for a second andseparate those two.
I'll go back to where I startedin the beginning.
I think if you're going toguide somebody, there's that
context of assume things arebroken for a week.
I think that's a good lens tolook at it.
What are you going to tell thepublic?
What are you going to tell youremployees?
What are you going to tell thecustomers that use your services
(16:57):
?
And thinking through it fromthat lens and if you can get
comfortable with starting theregoing hey, am I okay telling
people that this is going to bedown for a week?
Okay, I can get there.
Or maybe it's what's that nextstep?
Who are they going to call?
Who are they going to ask forhelp, or what should they expect
afterwards?
I think that's the context andthe lens that people can think
through in a more practicalsense, versus I need to come up
(17:19):
with a BCP plan that can handlea tornado and a fire or a system
outage, because now you'retrying to think of all the
different scenarios, but startwith the real connections that
matter.
You've got to look somebody inthe eye at the end of the day,
or when I'm sitting in thepharmacy.
What is the little old ladytrying to get her medicine?
What should she plan for?
I think that's a much morepersonal way to think about it,
(17:42):
rather than some vague system isdown or some company that we
don't know about yet is havingproblems.
Speaker 1 (17:49):
Yep, and then, assuming a leader or a company
gets that first kind ofhigh-level step done, how do you
push past that kind ofenterprise level and get into
the getting the commitment oflocal senior leaders that maybe
own a function to really thinkabout that organization?
And my guess is it's not haveIT do it for them.
(18:09):
But how do you?
Speaker 2 (18:11):
how have you done that when, when you were driving
some of these efforts, I had apeer and we kind of tag team,
this conversation and the onegoing hey, don't call IT, we're
busy, I'm not even sure I canparticipate in your BCP.
Include that as part of yourthought process.
Really help to put thatownership back on the other side
.
It's not to avoid the work, butit's to help them think through
.
Well, this is really my story,this is my challenge to think
(18:35):
through if some service or sometechnical function isn't going
to be able to help us, at leastnot for a few days, not like
they won't come help Again.
That makes it personal and Ithink it makes it a little bit
more approachable.
Speaker 1 (18:50):
BCP, make it your story.
That's a good tagline because Ithink that you're really
speaking to ownership and thefact that they're going to be
the one holding the bag whenthey don't have IT.
Their boss or their customersare asking them for answers.
It's an organizational cultureand ownership issue, before it
is anything to do with IT andwho's coordinating what.
Speaker 2 (19:07):
Yeah, and the manufacturing side of the house.
They in some ways have aneasier story.
They can spend a lot of moneyand time on redundancy and
backup plans, but there's alsothat pressure to not overproduce
.
But it might be far cheaper togo.
I'm going to build an extraweek of buffer into my inventory
that becomes part of thefinancial plan, rather than I'm
(19:30):
going to have a backup plan or abackup facility or just hope
that things don't go down and wecan bring things up within 24
hours.
That's where you start tyingthose.
My BCP story becomes part ofthe financial story and I've
done the cost benefit analysis.
Speaker 1 (19:44):
All right.
Well, I'm going to start a newpart of the show that's called
Unexpected, Unprepared Question.
And your question, Todd, andproducer doesn't even know we're
doing this.
Todd, you are a renownedstoryteller.
You really know how to tell astory.
So what is your best BCP ordisaster story that you've
(20:05):
experienced?
You don't have to name names.
You don't have to namecompanies, but do you have any
exciting like squirrel explodedfrom a data center power
storyline or anything juicy likethat?
Speaker 2 (20:18):
Well, yeah, I have a couple.
I'll share this one.
So years and years ago,building a data center this is
several careers ago, but I hadspent I think nine months with
the telco providers trying toget redundant lines into this
facility, making sure that thoselines didn't run down the same
railroad tracks, on the sameside, down the same road truly
(20:40):
redundant lines going in thisfacility, and it took a lot of
work just to get them to admitwhere these physical connections
were at.
So finally we're at the end ofthis project.
The lines come in.
They're coming from differentregions, but I take a day off.
I think I was on vacation.
I come back on provisioning dayand they had pinned up both of
the lines on the same telephoneline or the telephone pole
(21:02):
coming into the building off theroad and I'm standing out there
.
You can't have these here.
You've got to move this.
The construction folks are madat me.
Everybody's upset.
You've got to move it.
We're not done.
It's got to move, it's got tocome over there and I walk away.
An hour later, an hour later, abig semi truck hauling a load
gets into an accident and runsover that single telephone pole
(21:26):
and I don't know if fate wasthere that day.
I'm not really sure, but Istill remember that as going.
Yep, that's why we talked aboutthat?
Speaker 1 (21:33):
Yeah, I told you so.
Speaker 2 (21:35):
Yeah.
Speaker 1 (21:35):
I didn't pay him, I didn't pay him.
Yeah, that's awesome.
Well, it's good when anactionable story comes that
quickly, if you've givendirection and it's like no one
believes that this is somethingthat we need to know.
But you know, like the factthat I've been hit by two buses
one on an audit trip with apedestrian bus and the second
time on my honeymoon, rear-endedin a taxi.
(21:57):
No damage on both, but as anauditor you know you'd say
always document everything.
You never know when you'regoing to get hit by a bus and
take it from me.
I've been hit by two.
You shouldn't be laughing atthat.
I don't know I can laugh now.
It was scary at the time.
But you know, awesome, todd.
Anything else you'd like toleave as parting comments to the
(22:17):
audience on BCP?
Speaker 2 (22:19):
Well, at some point, practice this on BCP.
Well, at some point, practicethis One way or the other.
Whether it's a tabletopexercise or get people off site,
give it some dedicated timeoccasionally.
It doesn't need to happen allthe time, but it is something
that's worthwhile to practice,whether it's a tabletop exercise
or actually try to activatethese things, and it does take
time out of your day of other,more critical projects, but it's
(22:42):
a good learning exercise.
You always find things, alwaysfind things that you missed as
part of that plan guaranteed,and for your teams and your
staff, it's actually a goodtraining exercise as well,
because they're going to learnthings that they haven't done
before.
They're going to get morecomfortable making changes in
your environment.
So that's my parting message Atsome point, practice this Well.
Speaker 1 (23:03):
And Todd, thanks for coming on the show and actually
thanks for coming to Reveal Riskand for any of our audience
that has a BCP journey in frontof them.
Todd is a great person to reachout to.
He will not only bring storiesto the project team, but
storytelling to the businesscontinuity exercises themselves.
So thanks again, todd, andappreciate everyone for joining
(23:23):
in.
Yeah, thank you.
Oh, simplifying Cyber .
Sorry, I need a post-it notefor that.
Thanks for tuning in toSimplifying Cyber.
I'm Aaron Pritz, and standingin for Cody Rivers today and
actually standing sitting in hisoffice we have Todd Wilkinson.
So Todd was on season one ofthe show, I think, maybe three
(00:24):
years ago.
It's been a while Worked atElanco Animal Health and
actually by the time this ispublic, I think we will have
revealed that Todd Wilkinson hasjoined as a cybersecurity
consulting director atRevealRisk to go help others do
some amazing things like he'sdone prior.
So welcome to the show, todd.
Welcome back to the show.
Speaker 2 (00:44):
Thank you.
Thank you, it's Todd.
Welcome back to the show.
Thank you.
Speaker 1 (00:47):
Thank you, it's good to be here in a different room.
Absolutely Well, today wewanted to jump right into a hot
topic, and it's one that if youwould have asked me 20 years ago
because it was still a thingthen, if it would have been a
hot topic I would have laughedall of us, including myself, out
of the room.
So that topic is businesscontinuity planning and BCP.
Disaster recovery planning andincident response has always had
(01:10):
a role in cybersecurity, atleast adjacent.
But I think what's changed orwhat I've started to notice that
, todd, I want to really dive inwith you and your experience is
BCP is being talked, owned andactioned very differently than
what I experienced as an auditorat a Fortune 500 company where
(01:32):
I would write BCP findingsAffiliate doesn't have BCP and
it would be handed to the ITdirector of that location and
then they would have to figureit out.
And I think that never worked.
It felt misplaced and somecompanies felt like BCP was a
second version of a disasterrecovery plan.
(01:53):
But I always saw it as I thinkwhat it's starting to kind of
re-evolve back into, as it'sactually a business continuity
plan owned by the business tooperate the business if IT
didn't exist.
So, todd, I'm going to justpause there kind of.
Let you kind of give someopening comments about what
you're seeing here.
Speaker 2 (02:12):
Yeah, no, no.
And again, thanks for theintroduction and happy to be
here again.
Yeah, a couple things arechanging that just from 10 years
ago and we used to have a lotof BCP conversations.
Number one the introduction ofSaaS as really a key component
of driving many companies, andthat includes manufacturing
facilities as well.
A lot of manufacturingfacilities used to have
(02:32):
everything on-prem, more andmore moving them to the cloud.
So SaaS is changing thatlandscape.
Certainly, disaster recovery isstill a key piece of that and
how IT executes that, but thebusiness driving BCP, I find, is
a much more effectiveconversation for companies to
really think through what itmeans, because it might be okay
to say, hey, let the system bedown for a week or two, we're
(02:53):
okay with that and we've gotother ways we can navigate the
problems that are out there.
Speaker 1 (02:57):
That's when the really cool office parties
happen.
Like systems are down.
Let's have a good afternoon,yeah, yeah.
It doesn't always work that way, but that's how I like to
envision it sometimes.
Speaker 2 (03:07):
Everybody go home.
We're down for the afternoon,so that's one of the changes
that is occurring.
Speaker 1 (03:12):
And two, the reliance on IT system is much, much,
much bigger than it was a decadeago, so the context of how we
think about it needs to startchanging.
Yeah, the other thing that we doa lot of work in healthcare and
pharmaceutical industry andpayer health insurance.
Obviously I spend a lot of timeon the corporate side in
pharmaceutical, so I have a lotof passion for this industry.
(03:36):
But with the recent incidents, Imean I would say in the last
five years, but specificallywith Change Health, I think that
really rocked the healthcareindustry in that so many
companies were completely notable to operate because they
couldn't do payroll and I thinkI heard the stats that a third
of all US healthcare companiesrelied on that one company and
(03:58):
the one system that they operateto pay between physicians and
distribute products frompharmacies and things like that.
If you think about that andTodd your point of like a
business relying on a systemobviously moving money and
controlled by IT and overnightjobs and all that stuff, that is
critical, and if that's notthere, I don't think a lot of
(04:18):
entities were even thinkingabout like a payment system or
whatnot.
So what have you seen in thatspace and I guess within kind of
having been in life sciencesand human health, what do you
see from that perspective aslike kind of what's changing
about this?
Speaker 2 (04:33):
Yeah Well, let me introduce a personal story just
in the change healthcare.
This all happened within a48-hour window for me.
I'd kind of heard about changehealthcare, what was happening
with that, but I hadn't quitehonestly, I hadn't really been
paying attention to the detailsof the impact.
I'm standing in line in mypharmacy and there were three
little old ladies in front of meand I watched them one by one
(04:56):
walk up, try to get theirmedication.
They were told hey, this isreally expensive.
Your insurance isn't availableright now.
You either have to pay cash andit was a very large number for
all of them or you just have tonot get this right now.
And I watched all three of themessentially turn around and say
, well, I guess I won't get itright now and disappear.
And that was impactful, justkind of watching that, and I'll
(05:19):
come back to that point.
And then my eye doctor.
I was in there, I just happenedto ask the question is this
impacting you?
And he's like yep, 70% of myrevenue has been gone for the
last six weeks.
The full 70%, that's a hugelyimpactful number for a small
business to just havedisappeared.
So those are the two things Iwitnessed, just on the ground, I
(05:40):
think, to your question, one ofthe things that I think is key
to a BCP plan that can help withsome of these scenarios.
Because what is different?
A SaaS system is going to godown.
It's done, it's down.
Your IT teams might be able tohelp get that back online, but a
key piece of that is justknowing, hey, when this is down,
what am I going to tell people?
(06:01):
What is my actual instructionsof what they're supposed to do?
Should I tell them to wait?
Should I tell them to call adifferent number?
Having thought out that portionof the conversation can really
help quell a lot of concerns orjust confusion in the
marketplace, and then also yourown teams internally can know
this is what we're tellingpeople, this is what I expect to
(06:22):
do, and having thought thatcomms plan through ahead of time
, I think can be huge.
And if nothing else, and justin case of change, healthcare
hey, I might need to just not goto the pharmacy for a few days
or wait a week and try againlater.
There's something along thatlines.
But that's not normal, I think,historically as part of BCP
plans, because they're sofocused on internal
communications who do I call?
(06:44):
Where's my information storedat how long is it going to take
to recover, and so there's thatconnection to the public.
I think that's impactful.
Speaker 1 (06:51):
Yep so on.
You kind of referring to thingsthat could be in the plan.
What's your perspective onseparating business continuity
plan from disaster recovery?
And then I kind of also want tomaybe edge in the question of
the shift of ownership from IT,so kind of what have you seen,
what are you seeing right now,and where do you see plans and
how they're structured and ownedgoing forward?
Speaker 2 (07:13):
Yeah, well, I've sat through a number and it's
sometimes DR and BCP plans getthrown together and I think
functionally that DR plan is howdo I rebuild a system, what's
that tactical plan to bringthings back online and what that
actual functional plan is Like?
My stuff's gone, I know how torebuild it and where is it at.
That I believe really shouldstay within the realm of IT or
(07:35):
information security, dependingwho runs that.
I think that's a clear line ofownership.
The BCP plan is more function.
How do I just keep thingsrunning in the meantime?
Back to that communicationstrategy.
Do I need a phone?
Do I go to paper processes?
That's the content.
How do I keep people safe andhealthy?
So it's almost a personnel planand a commercial plan versus
the behind the scenes nuts andbolts we have in a DR how to
(07:58):
actually physically restore asystem or bring operations back
up and running.
Speaker 1 (08:02):
Yeah, great point, Todd.
You've spent a lot of time inlife sciences manufacturing.
I think.
For me, business continuityplanning is an easier concept
for manufacturing becauseavailability and uptime is
everything, so they naturallyget like we need to plan for
when we can't do that and westill need to get product out.
(08:22):
How is that different in someof the other business functions
that maybe have less of that keydriver?
How have you seen change or howdo you get them as motivated as
maybe some of the organicinterest from manufacturing?
Speaker 2 (08:36):
Yeah yeah.
Manufacturing kind of has aneasier story and a harder story
at the same time.
There, right, you get yourcommercial.
Let's take an example of aproduct I'm selling to customers
.
That one's a clear line in thesand.
I think you can make a decisionof hey, I can have a fast
acting BCP plan to keep thebusiness running, but it's going
to take this amount of dollarsto invest.
And it becomes an easierconversation if you know I've
(08:59):
got to invest this much money orthis many people resources to
have a fast-acting BCP plan.
Or it might be okay and this isokay in some cases hey, we're
going to be down for a week ortwo.
My building is gone, it caughtfire, the roof has fallen and
whatever it might be, the datacenter has gone down.
Or my key SaaS provider hasjust gone out of business and I
(09:19):
don't know when they're comingonline.
It might be okay to say, hey,we know what's going to happen,
we know how to communicate tothose people.
Let's just go ahead and tellpeople this service is out for a
week.
A lot of people might be okaywith that If you tell them it's
probably a week versus I'm goingto have completely redundant
systems across the boardpractice to the 18th degree.
On the flip side of that, itmight be no, we really can't be
(09:42):
down.
I need to have a backup planand I might need to be prepared
to bring in a second SaaSprovider or somebody alternative
.
I can kind of get things going,at least in a basic sense.
It's that conversation up frontof going.
When it really gets down to it,how long is okay?
Speaker 1 (09:57):
Right, yeah, kind of the business impact analysis or
assessment to kind of understandpriority and all that classic
concept but really making surethat that pulls through and how
you're implementing the plans.
You mentioned software as aservice or SaaS.
How does kind of data and theuser interface pushing out to
SaaS and less being on-prem andthe introduction of artificial
(10:20):
intelligence kind ofre-complicating that already
complicated situation?
How does the tech landscapeshift affect BCP and how you
might approach?
Speaker 2 (10:29):
it.
I think there's probably kindof two angles to that if you
throw AI into it a little bit.
One just the generic SaaSprovider.
I'm not sure if I say more andmore are behaving this way, but
certainly we've seen SaaSproviders hey, we're down for
the day, or we're down for anhour, or we're just down.
I don't know when we're goingto be back up.
It might be five minutes, itmight be three days or longer.
(10:50):
I think change healthcare was agood example of something that
was way longer than anybodyanticipated.
That had huge ramificationsacross the country.
But you're going to see, Ithink on that side of the house
it's just how long is long.
On the AI side of the house,what I am seeing is the rate of
(11:11):
pace of change that they'redelivering.
They're throwing new models out,they're putting updated models
out there and what you find is Imay not shut down my business,
but all of a sudden, those AImodels you don't necessarily
have the time to do fullregression testing, especially
if you're consuming a serviceand all of a sudden your answers
may be different than what theywere last week and you may have
(11:33):
to temporarily shut yourselfdown, going hey, I need to take
this portion of the serviceoffline, or it may have done it
for us because the interfacechanged.
So anticipating, I think, moreoften but maybe shorter
disruptions in business isprobably the right way to think
about that, just given howquickly things are changing.
And again back to hey, we needto tell people we're down for a
(11:54):
little bit and if you cancommunicate to them quickly and
effectively, what I've foundmost people are like yeah, okay,
I can live with that for awhile.
I'll come back later.
It's the, I don't know thatit's down or nobody's telling me
it's down.
Speaker 1 (12:08):
I'm just going to get frustrated and keep trying
Great point.
Let's talk about the differentlevels of business continuity
planning, and I'll go back toanother audit story Again.
I did a lot of vendor auditswhen I was in corporate audit.
Kind of interesting because youget to go outside of the walls
of your own company and look atothers.
But when you think aboutbusiness continuity planning and
you ask a company or adepartment, do you have a BCP?
(12:29):
A lot of times yes, and here itis, and sometimes it's like
here's our master plan and thenhere's functional area level
plans.
Give me your thoughts on, Ithink, there's the enterprise
BCP and then functional areabusiness continuity plans.
In your experience, todd, haveyou seen that full ecosystem of
top level and then local level,or do most stop at the top level
(12:49):
and then the local areas reallynever institute their
actionable plans that they canuse in a crisis?
Speaker 2 (12:56):
Yeah, Well, I guess the short answer is I've seen
them all across the gamut atmultiple different companies.
Usually those high-level onesare just that They've got a
basic comms plan who's in chargeof putting together the comm
plans, and that's the end of it.
And then you get to thosefunctional areas or facility
plans, but my favorite one thatis in there it says here's who
(13:16):
you call, and then also call ITto bring everything back up.
And I think that's the onethat's challenging, because if
we're really calling for a BCPplan and we're going to have to
execute a building's caught onfire, the network's out,
tornadoes rip through your area,there's a flood, IT's busy.
Assume they're down.
Yeah, Assume they're gone for awhile.
(13:39):
So figure out something else.
That's sometimes a helpfulquestion to ask when you're
trying.
So figure out something else.
That's sometimes a helpfulquestion to ask when you're
trying to figure out those plans.
Speaker 1 (13:46):
Yeah, now recently I've helped some organizations
build them, actually inhealthcare as well.
And one interesting thing ispeople always assume tribal
knowledge of like we would knowwhat.
It's kind of like that falseconfidence like we would know
what to do if it was down.
We've got a lot of expertise,we'd figure it out.
But then for the organizationsthat have gotten into planning
you start to whiteboard theirbusiness process.
(14:08):
And a couple observations I'vehad is sometimes they can't draw
it on a board.
And if you can't draw it on aboard in a non-crisis, you're
not going to be able toarticulate it or draw it on
whatever you have in the crisisto even make sure you've got the
right people on the right basis.
And then I think the otherthing is kind of when we get
into testing the BCP, that's alot of times like people assume
like, oh, we'll use thatspreadsheet.
(14:29):
Well, sharepoint's down, didyou have a backup somewhere?
So I think really thinking likethinking through your process,
defining who's supposed to dowhat when without IT, and then
testing it to make sure that allthose assumptions that you
thought would work until youdidn't realize the actual impact
would destroy your plan, thoseare the kind of the big ahas
that I think we see a lot ofcompanies having as they
(14:50):
progress on this.
Speaker 2 (14:52):
Yeah, well, I would say the other one.
You may have somebody thatcould whiteboard that, but when
a disaster hits, the person thathad the plan is also on
vacation.
Yeah, absolutely.
We hear those stories that theone person that had it, he's
just unavailable.
Yeah, that's common as well.
Speaker 1 (15:06):
If you didn't write it down, it doesn't exist.
Speaker 2 (15:08):
It doesn't write it down.
So I am a fan.
Not everybody needs to be fullytrained up, but at least a
couple people that have anawareness of where things are at
, where to get them.
Do I have a backup copy of yourinformation as well?
Because, to your point, if it'sa big disaster, you might have
trouble getting to where theinformation is at, or it's in
the vault and it's in the bottomof rubble, or it floated away,
(15:30):
whatever it might be.
Weather patterns are changing,we have a lot of facilities.
Hey, the roofs are collapsingin or those fires.
I remember years and years agowe had a key network connection
that was down and I'm on thephone trying to get the telco
provider to bring this thingback online and how to test it.
And, like Todd, really we havea fire here.
We can't deal with you rightnow.
I'm like no, I understandyou're busy and this went on for
(15:51):
a good back and forth for, Ithink, 90 seconds.
I was not paying attention.
Like Todd, you don't understand.
The actual telco provider isburning.
I can send you a picture, butit's not coming back up on any
anytime soon.
Okay, I need to have adifferent plan.
This one is clearly not working.
Speaker 1 (16:08):
Yeah, awesome.
Let's talk about the questionof maybe for the organizations
that don't have robust or anybusiness continuity plans.
Where do you start?
What kind of opposition arekind of new leaders that are
going down this path up against,and how would you coach a
newbie, if you will, to havesome success, given we've all
(16:31):
kind of had our fits and startswith these types of initiatives.
Speaker 2 (16:35):
So I think, take disaster recovery out of the
conversation for a second andseparate those two.
I'll go back to where I startedin the beginning.
I think if you're going toguide somebody, there's that
context of assume things arebroken for a week.
I think that's a good lens tolook at it.
What are you going to tell thepublic?
What are you going to tell youremployees?
What are you going to tell thecustomers that use your services
(16:57):
?
And thinking through it fromthat lens and if you can get
comfortable with starting theregoing hey, am I okay telling
people that this is going to bedown for a week?
Okay, I can get there.
Or maybe it's what's that nextstep?
Who are they going to call?
Who are they going to ask forhelp, or what should they expect
afterwards?
I think that's the context andthe lens that people can think
through in a more practicalsense, versus I need to come up
(17:19):
with a BCP plan that can handlea tornado and a fire or a system
outage, because now you'retrying to think of all the
different scenarios, but startwith the real connections that
matter.
You've got to look somebody inthe eye at the end of the day,
or when I'm sitting in thepharmacy.
What is the little old ladytrying to get her medicine?
What should she plan for?
I think that's a much morepersonal way to think about it,
(17:42):
rather than some vague system isdown or some company that we
don't know about yet is havingproblems.
Speaker 1 (17:49):
Yep, and then, assuming a leader or a company
gets that first kind ofhigh-level step done, how do you
push past that kind ofenterprise level and get into
the getting the commitment oflocal senior leaders that maybe
own a function to really thinkabout that organization?
And my guess is it's not haveIT do it for them.
(18:09):
But how do you?
Speaker 2 (18:11):
how have you done that when, when you were driving
some of these efforts, I had apeer and we kind of tag team,
this conversation and the onegoing hey, don't call IT, we're
busy, I'm not even sure I canparticipate in your BCP.
Include that as part of yourthought process.
Really help to put thatownership back on the other side
.
It's not to avoid the work, butit's to help them think through
.
Well, this is really my story,this is my challenge to think
(18:35):
through if some service or sometechnical function isn't going
to be able to help us, at leastnot for a few days, not like
they won't come help Again.
That makes it personal and Ithink it makes it a little bit
more approachable.
Speaker 1 (18:50):
BCP, make it your story.
That's a good tagline because Ithink that you're really
speaking to ownership and thefact that they're going to be
the one holding the bag whenthey don't have IT.
Their boss or their customersare asking them for answers.
It's an organizational cultureand ownership issue, before it
is anything to do with IT andwho's coordinating what.
Speaker 2 (19:07):
Yeah, and the manufacturing side of the house.
They in some ways have aneasier story.
They can spend a lot of moneyand time on redundancy and
backup plans, but there's alsothat pressure to not overproduce
.
But it might be far cheaper togo.
I'm going to build an extraweek of buffer into my inventory
that becomes part of thefinancial plan, rather than I'm
(19:30):
going to have a backup plan or abackup facility or just hope
that things don't go down and wecan bring things up within 24
hours.
That's where you start tyingthose.
My BCP story becomes part ofthe financial story and I've
done the cost benefit analysis.
Speaker 1 (19:44):
All right.
Well, I'm going to start a newpart of the show that's called
Unexpected, Unprepared Question.
And your question, Todd, andproducer doesn't even know we're
doing this.
Todd, you are a renownedstoryteller.
You really know how to tell astory.
So what is your best BCP ordisaster story that you've
(20:05):
experienced?
You don't have to name names.
You don't have to namecompanies, but do you have any
exciting like squirrel explodedfrom a data center power
storyline or anything juicy likethat?
Speaker 2 (20:18):
Well, yeah, I have a couple.
I'll share this one.
So years and years ago,building a data center this is
several careers ago, but I hadspent I think nine months with
the telco providers trying toget redundant lines into this
facility, making sure that thoselines didn't run down the same
railroad tracks, on the sameside, down the same road truly
(20:40):
redundant lines going in thisfacility, and it took a lot of
work just to get them to admitwhere these physical connections
were at.
So finally we're at the end ofthis project.
The lines come in.
They're coming from differentregions, but I take a day off.
I think I was on vacation.
I come back on provisioning dayand they had pinned up both of
the lines on the same telephoneline or the telephone pole
(21:02):
coming into the building off theroad and I'm standing out there
.
You can't have these here.
You've got to move this.
The construction folks are madat me.
Everybody's upset.
You've got to move it.
We're not done.
It's got to move, it's got tocome over there and I walk away.
An hour later, an hour later, abig semi truck hauling a load
gets into an accident and runsover that single telephone pole
(21:26):
and I don't know if fate wasthere that day.
I'm not really sure, but Istill remember that as going.
Yep, that's why we talked aboutthat?
Speaker 1 (21:33):
Yeah, I told you so.
Speaker 2 (21:35):
Yeah.
Speaker 1 (21:35):
I didn't pay him, I didn't pay him.
Yeah, that's awesome.
Well, it's good when anactionable story comes that
quickly, if you've givendirection and it's like no one
believes that this is somethingthat we need to know.
But you know, like the factthat I've been hit by two buses
one on an audit trip with apedestrian bus and the second
time on my honeymoon, rear-endedin a taxi.
(21:57):
No damage on both, but as anauditor you know you'd say
always document everything.
You never know when you'regoing to get hit by a bus and
take it from me.
I've been hit by two.
You shouldn't be laughing atthat.
I don't know I can laugh now.
It was scary at the time.
But you know, awesome, todd.
Anything else you'd like toleave as parting comments to the
(22:17):
audience on BCP?
Speaker 2 (22:19):
Well, at some point, practice this on BCP.
Well, at some point, practicethis One way or the other.
Whether it's a tabletopexercise or get people off site,
give it some dedicated timeoccasionally.
It doesn't need to happen allthe time, but it is something
that's worthwhile to practice,whether it's a tabletop exercise
or actually try to activatethese things, and it does take
time out of your day of other,more critical projects, but it's
(22:42):
a good learning exercise.
You always find things, alwaysfind things that you missed as
part of that plan guaranteed,and for your teams and your
staff, it's actually a goodtraining exercise as well,
because they're going to learnthings that they haven't done
before.
They're going to get morecomfortable making changes in
your environment.
So that's my parting message Atsome point, practice this Well.
Speaker 1 (23:03):
And Todd, thanks for coming on the show and actually
thanks for coming to Reveal Riskand for any of our audience
that has a BCP journey in frontof them.
Todd is a great person to reachout to.
He will not only bring storiesto the project team, but
storytelling to the businesscontinuity exercises themselves.
So thanks again, todd, andappreciate everyone for joining
(23:23):
in.
Yeah, thank you.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com