I attended a great seminar this morning and different companies spoke about their issues. This Post is a summary of these issues that you can use as checklist and see if they apply to your Risk.

  • Asset Management Issues are key. Do you know where your servers are located? If you have multiple buildings and assets get moved around, if it’s not documented, you won’t know where it is.
  • Employee turnover is an issue as for many companies. The knowledgeable Data Center personnel are retiring or getting other offers. If their knowledge is not documented i.e. Asset Management, then the information leaves with them.
  • Core Processing is great. It allows many small organizations such as Credit Unions that allow customers to go to any branch to have freedom. But when the Core Processing is down, all of the locations are down.
  • Companies that have old technologies in place have a harder time recovering in a Shared Commercial Recovery Site.
  • Mergers and Acquisitions are common place. Some companies are waiting to do their BCP and DR Plans until the personnel get settled. This can result in the newly acquired data and business units not being properly recovered if a Disaster happens in the meantime.
  • Companies are outsourcing operations and Data Centers and accepting the vendors’ statement that they have BCP and DR Plans without conducting and audit of those plans.
  • Internal Auditors are not being educated on BCP and DR and yet conduct the audits. They should be trained the same as BCP and DR Personnel.
  • Plans must take into consideration union requirements in International BCP and DR Planning.
  • Although there are policies in place, some Sr. Executives have not been supporting BCP and DR. This was a key issue stated from a few companies at the seminar.
  • BCP and DR are planning in “vacuums” and do not know what is in each other plans. This is especially an issue, when a Business Unit has a Recovery Time Objective (RTO) and Recovery Point Objective (RPO) that Technology cannot meet, so the DR Plans list a RTO and RPO that is can meet.

Some of these items may seem inconceivable to some, but they were reported as situations that exist at some of the Seminar Attendee organizations.

I hope this list helps you today.