Category: DR/Crisis Response/Crisis Management

In the current episode, the down-leg of the financial cycle had not proceeded as far and banks were further away from the point of technical insolvency.
However, the underlying weakness in balance sheets has not been recognised as fully. All this has tended to slow down resolution. In other words, the zombie banks live on just as they have in Japan.

Principle 1: Early recognition and intervention
The nature and size of the problems should be recognised early and intervention should follow quickly. The purpose of early recognition and intervention is to avoid a hidden deterioration in conditions that could magnify the costs of the eventual resolution. A key reason why costs tend to increase as action is delayed is that economic agents operate under distorted incentives.

Principle 2: Comprehensive and in-depth intervention
Intervention and resolution should be broad-ranging and in-depth. The overriding objective is to restore lasting confidence in the financial system and its capacity to operate effectively and sustainably, without public support. Intervention includes three critical steps: (i) stabilising the financial system; (ii) restructuring balance sheets; and (iii) re-establishing the conditions for the sector’s long-term profitability.

Principle 3: Balancing systemic costs with moral hazard P3: Intervention should strike a balance between limiting the adverse impact on the real economy and containing moral hazard.

http://seekingalpha.com/article/219124-bis-we-have-failed-to-learn-from-the-nordic-crisis

Disaster planning is critically important for individuals, families, organizations large and small, and governments.

For the individual, it can be as simple as spending a few minutes thinking about how he or she would respond to a disaster. For example, I’ve spent a lot of time thinking about what I would do if I lost the use of my computer, whether by equipment failure, theft or government seizure. As I a result, I have a pretty complex backup and encryption system, ensuring that 1) I’d still have access to my data, and 2) no one else would. On the other hand, I haven’t given any serious thought to family disaster planning, although others have.

For an organization, disaster planning can be much more complex. What would it do in the case of fire, flood, earthquake and so on? The resultant disaster plan might include backup data centers, temporary staffing contracts, planned degradation of services and a host of other products and service — and consultants to tell you how to use it all.

And anyone who does this kind of thing knows that planning isn’t enough: Testing your disaster plan is critical. Far too often the backup software fails when it has to do an actual restore, or the diesel-powered emergency generator fails to kick in. That’s also the flaw with the emergency kit suggestions I linked to above; if you don’t know how to use a compass or first-aid kit, having one in your car won’t do you much good.

But testing isn’t just valuable because it reveals practical problems with a plan. It also has enormous ancillary benefits for your organization in terms of communication and team building. There’s nothing like a good crisis to get people to rely on each other. Sometimes I think companies should forget about those team building exercises that involve climbing trees and building fires, and instead pretend that a flood has taken out the primary data center. It really doesn’t matter what disaster scenario you’re testing.

The real disaster won’t be like the test, regardless of what you do, so just pick one and go. Whether you’re an individual trying to recover from a simulated virus attack, or an organization testing its response to a hypothetical shooter in the building, you’ll learn a lot about yourselves and your organization, as well as your plan. There is a sweet spot, though, in disaster preparedness. Some disasters are too small or too common to worry about. It makes no sense to plan for total annihilation of the continent, whether by nuclear or meteor strike: That’s obvious.

But depending on the size of the planner, many other disasters are also too large to plan for. People can stockpile food and water to prepare for a hurricane that knocks out services for a few days, but not for a Katrina-like flood that knocks out services for months. Organizations can prepare for losing a data center due to a flood, fire or hurricane, but not for a Black-Death-scale epidemic that would wipe out a third of the population. No one can fault bond trading firm Cantor Fitzgerald, which lost two thirds of its employees in the 9/11 attack on the World Trade Center, for not having a plan in place to deal with that possibility.

If your corporate headquarters burns down, it’s actually a bigger problem for you than a citywide disaster that does much more damage. If the whole San Francisco Bay Area were taken out by an earthquake, customers of affected companies would be far more likely to forgive lapses in service, or would go the extra mile to help out. Think of the nationwide response to 9/11; the human “just deal with it” social structures kicked in, and we all muddled through.

A blogger commented on what I said in one article: Schneier is using what I would call the nuclear war argument for doing nothing.

Bird flu, pandemics and disasters in general — whether man-made like 9/11, natural like bird flu or a combination like Katrina — are definitely things we should worry about.

http://www.wired.com/politics/security/commentary/securitymatters/2007/07/securitymatters_0726

On this topic IBM aims continuous data backup software at SMBs One in five firms has no disaster recovery plan MessageLabs launches e-mail archival service Protecting Remote Office Data: D2D Backup/Recovery Solutions Protecting Microsoft Exchange: The Need for Disaster Prevention and Optimization Best Practices for Disaster Recovery Across the WAN Costs and Consequences: Securing sensitive data at the edge of the network and beyond Data Protection – A Top Priority: Reduce the Risk of Costly Data Breaches A Guide to Reducing the Risks of Costly Data Breaches security.itworld.com.

Ultimately IT is there to serve business, and disaster recovery planning should be no different. Well, most IT shops still don’t get it, according to EMC Canada consultant Iain Anderson. People are still making technology decisions, and not business decisions.

According to Paul Saxton, lead consultant in business resiliency at IMB Canada Ltd., recovery capabilities have to be matched to the business requirements. “Understand that disaster recovery and business continuity are part of overall risk management,” he says.

“One of the challenges I see all the time is that business continuity and disaster recovery fall back to the responsibility of IT, and IT’s normal response is to throw technology at it,” says Anderson, client director at EMC Corp. of Canada. Anderson says IT has a responsibility to understand how business workflow ties in to business applications, and how those applications in turn are supported by infrastructure. “We tend not to spend enough time communicating out there with the business units and understanding what their business problems are,” he says.

As a type of insurance policy, it’s helpful to know what threats and vulnerabilities you’re likely to come up against. Unless you’re in a tornado area, on a fault line or flood plane, you probably won’t be building a mirror site of your entire IT infrastructure. But going through that vulnerability and risk assessment can be a heated debate, says George Kerns, president and CEO of Fusepoint Managed Services Inc.

The budget for a recovery plan is large compared to the operating budget, and if the chance of a disaster occurring isn’t high, how do you avoid spending too much? “I think this has to come down to a rational conversation between the CIO and the CEO,” says Kerns. He says most business units believe their IT systems can be back up within hours, while IT will estimate a couple of days and an actual assessment of the technology will reveal a further gap.

“This is a big area where more testing needs to be done, with a more rigorous, more integrated approach and a stronger level of governance around it,” he says. And don’t test to pass; you have to test to fail, says Anderson.