Video Screencast Help
Storage & Clustering Community Blog

Are Current BC/DR Regulations, Guidelines & Best Practice Effective?

Created: 09 Jan 2013 • Updated: 11 Jun 2014
dennis_wenk's picture
0 0 Votes
Login to vote

A real crisis is happening now and if we really want to reduce losses for our organization then we will need to adjust our focus.  We don’t have to wait for any pandemic or catastrophe to strike; organizations are experiencing losses that range between $35 billion and $500 billion per month.  If these losses are the result of best practices that are intended to protect our organizations from crisis, then some might even consider these regulations and best practices to be gravely dysfunctional.   

Compliance with federal, state, and international privacy and security laws and regulations often is more an interpretive art than an empirical science—and it is frequently a matter for negotiation.  When business metrics are applied to compliance, many companies decide to deploy as little technology or process as possible—or to ignore the governing laws and regulations completely. Every company weighs the cost of protecting personal data with the cost of what it would take to notify customers if a breach occurred.

It is not rational to promote best practices and guidelines that do not meet the real needs of today’s technologically-rich organization.

Are Ineffective controls the result of:       

  • Too Many or Confusing Regulations?
  • Dysfunctional Best Practices, Guidelines and Processes?
  • Inferior Internal Controls?
  • Mediocre, Ineffective and Inadequately trained Audit Oversight?
  • IT Complexity?
  • Lack of Risk Awareness?
  • Focus on the wrong Risks?
  • Probability Neglect?
  • Heuristic Bias?
  • Subjective and Intuitive Judgment Error?
  • Combination of all of the above

Regulatory Landscape:

  • There is a plethora of regulatory compliance rules that companies must be aware of and mitigate the risk of non-compliance is exhausting. The regulatory landscape is full of compliance land mines for the unaware organization. From Sarbanes-Oxley, HIPAA, Basel II, Graham-Leach-Bliley, SEC Rules 6835 & 17-a, TREAD Act, FCC-LSOG, USA Patriot Act, California Security Breach Notice Law and the list may as well go on ad infinitum.  There are services that organizations now subscribe to just to keep up with all the regs.
  • In addition, there are a large group of guidelines and best practices that are intended to protect our organizations from crisis i.e. BCM Institute, British Standard BS25999, ISO 22301, HB 221:2004, HB 292:2006, NFPA 1600:2007, MS 1970:2007, ISACA, CObIT, ASIS, ITIL. 

State of the Technology:

  • The Ponemon Institute estimates that worldwide organizational are losing over $35 Billion monthly from data center downtime. 
  • Meta Group estimates that businesses lose an average of $1 million in revenue for every hour of downtime.  
  • Nicholas G. Carr point out in his seminal Harvard Business Review article IT Doesn’t Matter, “today, an IT disruption can paralyze a company’s ability to make products, deliver its services, and connect with its customers, not to mention foul its reputation … even a brief disruption in availability of technology can be devastating.”
  • Roger Sessions also attempts to quantify the problem in his The IT Complexity Crisis: Danger and Opportunity, in which he calculates that IT failures are costing businesses $6.18 trillion per year worldwide. The cost of IT failure is paid year after year, with no end in sight. If this trend continues, within another five years or so a total IT meltdown may be unavoidable.

BCM must begin to apply the principals of ‘Prospect Theory’ and loss aversion to promote better decisions regarding operational resiliency, high availability and disaster recovery.

Blog Author:
Mr. Wenk is Principal Resiliency Architect for Symantec’s Storage and Availability Management Group. He has consulted worldwide with large Fortune 500 customers; Generating demand for Cloud Infrastructures and architecting private cloud solutions for technology-intensive organizations in over 20 different countries; tackling some very challenging, complex, and ambiguous problems. His experience includes developing architectures and strategies for highly available, resilient and secure infrastructures in heterogeneous IT environments. He has performed quantitative operational risk assessments that were used to justify the significant investments required to build, transform and maintain resilient infrastructures; he has performed technology assessments, IT consolidation and transition strategies, and developed site selection criteria for complex heterogeneous technology consolidations. In addition, he has developed charging methodologies, performed capacity planning and performance evaluations in large, complex IT environments. Dennis has developed a number of risk-based services that quantify the return on technology investments that increase resiliency and improve continuity programs. His background includes experience with EMC Consulting as Senior Cloud Architect and with Hitachi Data Systems as Principal Global Solution Architect for High Availability Solutions, IBM Global Network as an Outsourcing Project Executive; Comdisco where he was Western of Director Technology Consulting; KPMG where he was Senior Manager, Group Leader for IT Operations and Transformations, as well as Heller Financial where he served as VP/Information Processing. Dennis Wenk earned an MBA in Accounting and Finance, BS in Computer Science from Northern Illinois University. He is a certified Information Systems Auditor (CISA), Certified Data Processor (CDP), and Certified Systems Professional (CSP), certified in ITIL Service Management. He was awarded Best Management Paper by Computer Measurement Group, and currently he sits on the Advisory Board for Continuity Insights and Serves as their Technology Chair. He has held the Cloud Special Interest Group Leader for the Outsourcing Institute and the Business Continuity Focus Expert for Information Technology Infrastructure Management Group. He is an advisor to Business Continuity Services Group. Dennis has written award-winning professional articles, white-papers and has been published in Information Week, Computer Performance Review, Trends and Topics, Continuity Insights, Infosystems, Computer Measurement Group, and DR Journal. He is a regular speaker at world-wide industry conferences. Some current topical expertise include; ‘3 Simple Complexities of Data Protection’, ‘Think About Never Failing, Not How To Recover’, ‘Focus On The Largest Source Of Risk: The Data Center’, ‘Risk Economics’, ‘Gaining Competitive Advantage: The Myth of the Resiliency Paradox’, ‘Eco-Friendly Data Center’, ‘Virtualization, a Resiliency Enabler’, ‘Economic Impact of Interruptions’, ‘Risk-based Business Continuity’, ‘High-Stakes Business Impact Analysis’, ‘A Risk-Based Approach to Internal Controls’, and ‘Resiliency: Clearing the Five Nines Hurdle’.