Beth Frasure  00:06

As you can see on the slide, I am a master business continuity professional with DRI. I've been in the industry for over a decade. Now, I don't like to say any more than that because the lady never ages herself. But I've been doing this for a while. I've done risk assessments, I've done business continuity plans, disaster recovery plans, ITDR plans, the whole kit and caboodle. I've been involved in it.

Beth Frasure  00:28

So as she was saying, I am very passionate about business continuity, and I love to get on my soapbox. But today we're going to focus on risk assessments. Now one of the things that I've noticed about risk assessments is that a lot of people struggle with it. It's a particular process that a lot of people don't know how to start off with or how to get into it, it seems like a very daunting task, and it can be. But first, before we dive too deep into that, let's start off with some basic terms. Now, I know this is going to be review for some of some of you, but I want to make sure that we're covering the terms I'm going to be using in this discussion so that we're not losing anybody during the discussion. If at any time I use a term that you don't know, please put it in the chat. If you don't know it, more than likely somebody else doesn't know it. And sometimes I get so into the industry jargon as far as business continuity jargon that sometimes I forget that something needs to be described. So please make sure you throw those in there. And Julie will go ahead and ping me and let me know when she needs to interrupt if I have to define a term.

Vocabulary Review

Beth Frasure  01:30

Now the first term we're gonna go over is RTO, which is recovery time objective. Again, I know most of you probably know this, but I'm just gonna give a quick definition of it. Recovery time objective, the best way I found to describe that is how long can you have a process, function or an asset down? So can it be down for an hour? Can it be down for a week, whatever the case may be? The next term is recovery point objective, which is a point in time, it's essentially how often does the data need to be restored? So essentially, how much data can you stand to lose in the event of some sort of outage or emergency? So what point of time do you need to look at to have that particular data backed up to? Assets, when I say the term assets, I'm referring to computers, people, buildings, applications, any of those. Assets in this aspect is going to be a very broad term. And then processes and functions. Processes or functions are essentially a duty that a particular business unit does whether it's doing payroll or whether it's doing some sort of ticketing system, or whether it's inserting a ticket or creating a trade for a client, whatever the case may be. That's kind of what I'm referring to on assets and functions. And then, now that we've covered the basic terms, we're going to the next slide, we'll go over the risk assessments, and then we'll go into a risk matrix that we utilize, I'll kind of dive deep into Octave, which is a risk methodology that I've used in the past, and then we'll discuss a little bit about Veoci.

Which Type of Risk Assessment Should I Use?

Hazard Vulnerability Assessment

Beth Frasure  03:14

And if I start to talk way too fast, please let me know because I get excited. When I get excited about business continuity, I start to go at the rate of Speedy Gonzalez, for those of you that may know who that is. So the first one we're going to review is hazard vulnerability assessment. Now, a hazard vulnerability assessment is event centric. And what I mean by that is it revolves around preparing for a particular event. For instance, if you're preparing for hurricane, an earthquake or flooding, a server failure, it turns around and looks at building, the asset and identifying what risks you have based off of a particular event. Now, it's strictly event related, and you're going to have a plan for each one of those events. And then you're going to look at how it could potentially impact you, impact your data, what is the probability of it happening, so on and so forth. So that's what hazards vulnerability assessment, you see this more in the public sector and I use the public sector term very lightly. But you're looking at hospitals will use a hazard vulnerability assessment, fire departments, police stations, things of that nature, because they have to take in consideration how it's not only affecting their location, but it how it would also potentially affect the entire town or city or whatever the case may be, because they're going to be impacted by that as well because they're going to have an influx of patients they have to prepare for or an influx of fires they have to respond for during those events. So definitely that I see that more popular with the public sector as opposed to the private sector, and again, I use these terms very loosely.

How do you decide: Event vs Asset Based Risk Assessment  

Beth Frasure  05:06

Now, event versus asset. The difference between this is you're looking at, again, you're looking at whether you're going to use a HVA. Or if you're going to use an asset based risk assessment methodology, and this I will go into in the next two of them. You have to decide for your company, which is going to be best. Do you need to prepare for all events? Or do you just need to look at an asset, and what happens if it's down? Do you need to concentrate on if we lose this server, these applications are going to be affected, or if we lose, this team becomes unavailable, or this person becomes unavailable. And when I say asset, again, you're looking at servers, people, application, hardware, equipment, locations, you're taking those assets and breaking them down and analyzing the risks that could pose to those individual assets. So I've noticed this works a lot better for in my past lifetime, I worked for a financial firm and asset based risk assessment made a lot more sense. And I think it's becoming more popular now that we a lot of the world has turned into a remote from home base, as opposed to having to physically go in an office, events aren't as critical as they used to be. So a lot of companies have switched from the event centric risk assessment as opposed to doing a or have switched from the event risk assessment and then have gone to the asset risk assessment because it makes more sense. No longer we can find you a building and if the buildings affected, then the entire company is going to be dealing with a massive issue because that location is down. Now we've come more into you have ITDR plans, creating resumption plans, and creating backups for all of the systems where it's no longer restricted to one location if one location goes down. Normally, most of the time, it can quickly or fairly quickly, depending on the criticality of the asset be brought back up in another data center location or whatever the case may be. So it really is personal preference, though, it's really what's going to work well with your company's environment, your company's production, how things work. Because obviously, an asset based risk assessment is not going to work for say a company that has a factory, because there's specialized equipment, people have to go into that location, they have to be able to use that equipment to be able to complete those particular processes. That being said, some companies will decide you know what, these IT items, we can do an asset based risk assessment for the IT items and day to day items. But we need to do a resumption plans for these warehouses or these factories, and then turn around and do an event based risk assessment for those locations. So again, it's just depends on your infrastructure and what's going to work best not only for your infrastructure, but also your culture, your culture may be more that they understand event way better than they understand assets.

Beth Frasure  08:15

You really need to sit down, and my recommendation is get a steering committee. If you have a business continuity steering committee already, bring it up to them take those C suites when you have their ears and say, look, here's some ideas that we can do for these risk assessment, what's going to be the best, best practice? You know, and research and understand both of them thoroughly. And I'm always available for questions. So don't hesitate to hit or shoot me an email if you have questions after the fact. Because when you start really getting into this, depending on where you're at in the process, it can be very confusing, and it can be very overwhelming. When I started doing risk assessments, I looked at the risk assessment that me and my manager had decided to utilize and I'll go over that that's the Octave, I'll go over that later. But I looked at it and I was overwhelmed. So it can be extremely overwhelming. But one of the things you really want to do is look at what you have in place already.

Beth Frasure  09:09

More than likely, if you're working if you're with the business continuity department, and this is something because you're starting new, the IT department may already be doing one or your IT risk manager may be already doing one. And that's where you can combine efforts and work together. Because you want to make sure that you're utilizing the same risk assessment across the board. You don't want John and IT risks doing one risk assessment. Let's say he's using the Octave method. And then you're using an event centric risk assessment. You guys are duplicating efforts when you don't need to be so definitely talk to him. Another thing that I always recommend, talk to your internal and I'm going to emphasize this because when I do this presentation in person, I always say, say it back to me, internal talk with your internal audit department. See what they're looking for see what they're I'm being asked to review as far as the business continuity programs. I became really good friends with my internal audit person and I was able to get an idea, okay, what are they, what is coming down the road? What do I need to prepare for next year? So that way I know to improve my business continuity plans, my risk assessment plans, ITDR, the whole kit and caboodle, I knew how to improve it ahead of time. I knew what was potentially coming down the road and what we were going to be audited on and what I needed to be prepared for. And normally, if you look at that internal audit, and you are able to have those candid conversations with them, it helps you with external audits, because they're probably going to be looking, for the most part, for the exact same thing. And occasionally, you'll get hit with something new or something that you weren't prepared for. And then they give you the usually six months to a year to fix that. But definitely try to get on board with the internal audit, if you can, having those individuals in there is an amazing process, and an amazing help and asset to the entire program overall.

RTOs and RPOs

Beth Frasure  10:59

So now let's go over the IT RTOs versus the business unit RTOs. And this is also the same for the RPOs as well. How this, this is how I initially started, it's one of the simpler ways to do a risk assessment. And then you can also utilize it to do the gap analysis. So if you're looking at the if you're creating an ITDR plan, and then you're looking at your business unit, business continuity plans, and you're comparing the assets, and seeing what the RTOs and RPOs are, it'll allow you to really assess your risk to see if there's a risk. Hypothetically speaking, let's say that IT has served at A with an RTO of a week. And the RPO is one week as well. So they're considering that it's important because it's done once a week, but it's not as critical. But the business unit comes back and says no, this is something that we're constantly changing, we need that we can't lose more than four hours worth of data and it can't, the system cannot be down more than four hours.

Beth Frasure  12:01

There's the assessment right there, you're seeing that there's a gap because IT department's doing one thing, but the business continuity department or excuse me, the business unit is asking for another, it's not matching up. So that's the assessment that you're doing. And then it goes very smoothly into the gap analysis, because then you can take the reasons the business unit is saying this is so critical and so important to take it back to the IT department. And this is where your negotiation skills come into play. Because normally what's going to happen is the IT department is going to say, well, we can do that, but it's going to cost you X amount of dollars, then you go back to the business unit and then they turn around and say well, no, maybe that's not so important. We can stick to what we have a minute, things get updated and changed and it all matches up. That's one of the easiest risk assessments that I have done. And I've noticed it's the quickest to get off the ground, because you've already got your ITDR  plans built. If not, you definitely can get those built, which is something that you should have. And then the business units can look at their business continuity plans and then it's a kind of a back and forth until you go through that. But you're being able to complete on the risk assessment as well as the gap analysis simultaneously.

The Octave Method

Beth Frasure  13:16

Now, let's go into the Octave method. This is the very scary, very robust system, or, excuse me, robust risk assessment I said before. I'm going to ask stop here for a quick polling question if it will, let me.

Beth Frasure  13:37

So the first question I'm going to ask is, what aspects of the risk assessments are you struggling with? Are you struggling with getting started? Are you struggling with determining which methodology to use? Are you know getting upper management support? Which is extremely important because you always want to make sure you have the C suite. Are you struggling with finding an appropriate tool? Or is there other? And if there's other if you answer other I'm going to ask the in the chat you put with that other is because I definitely would like to go through that. So we're going to take a 30 second break to give everybody a chance to kind of answer that.

Beth Frasure  14:14

Looks like the biggest, oh, it looks like you guys are struggling with finding a tool. Well, that's good to hear. It's not good to hear obviously, because anybody is struggling is not a good thing to hear. But that's good to know. It sounds like a lot of you already have, some of you are struggling with determining what methodology to use. And again, it's just dependent on your culture. Are you really have to look at how you're building your business continuity plans, how you're doing your ITDR plans. I know some companies are still siloed, where the IT does their own thing, business continuity works with the business units, they do their own thing. So my recommendation is, if it's siloed, like that, you're probably wanting either going to go with the, the HVA, or you're going to want to look at doing possibly an asset base, but then you're going to have to get IT involved with that, that can be a little bit of a struggle. Now, the nice thing about those struggling to find a tool, Veoci is a great tool for doing the business con- or two for doing the risk assessments and the business continuity plans. So it's definitely something that we can offer. Later on, I will ask a question about who would like a demo, and you can definitely add your name to the list. But we definitely have quite a few, HVA is one of the ones we have 100% built out. But the nice thing is, is Veoci is so customizable, if you already have a methodology that I haven't listed here, or if it's something that you guys have developed in house, we can create the system to match that. Veoci is a very customizable tool. And it's really nice. We have some great solutions engineers that have built a lot. I've seen this system used for so many different things that using your first assessment would be pretty simple.

Beth Frasure  15:36

So let's move on to the next question, because I got myself behind on my questions, because again, I got on my soapbox. Okay, so the next question I want to ask is, have you started your risk assessments?

Beth Frasure  16:48

I'm kind of getting an even split, which is kind of what I expect. And here's the reason I say that COVID redirected us so badly in the business continuity world. We were in the process of updating our plans, doing our pandemic plans, doing all of our risk assessments, gap analysis and everything, and then everything shifted when COVID hit. So it does not surprise me at all that we're at a 50/50 mix for that. Because I think some people were further along in the process where they were starting the risk assessments before the pandemic hit. And then some people were just getting into it and it was their next step in their process and COVID hit. So I mean, it definitely that does not surprise me at all, everybody's going to be in a different process, or different steps in the process. Business continuity is not a one and done. It's a constantly living program. It's constantly changing. There's constantly changes to industry, there's constantly updates that need to be made.

Beth Frasure  17:45

And then the next question, and I'm just gonna let this question kind of sit there out there for a little bit. I want to find out what risk assessment methodology are you using now? And if it's not listed, please put in the comments which ones you are using. And with that, will we leave that poll up for a while I'm gonna go on to the Octave method. Now, as I said, the octane method is is kind of a complicated system. Now. I am going to show and Julie, please confirm that you can see the page that I just put up on the screen for me, please.

Julie Reynolds  18:25

I am still looking at the poll. Oh, yeah. See, we can only show one thing at a time. So while we have the poll running, yeah.

Beth Frasure  18:34

That is good to know. I'll give it a couple, I'll give it another 30 seconds for the poll.

Julie Reynolds  18:41

In the meantime, Beth, we actually do have someone who's wondering about ITDR, and what that stands for?

Beth Frasure  18:48

Oh, I apologize. ITDR is information technology disaster recovery. So essentially, think of it like the best way I've found to explain it to those not familiar with ITDR, is it's a business continuity plan for the IT department. They're obviously more focused on the process or the assets and the servers and the applications. They go more towards the back end of things as opposed to dealing with processes and people and client facing things they deal with the back end stuff and applications.

Julie Reynolds  19:25

Thank you also Beth if you'd like you aren't able to share the results with everybody. So I don't know if everyone on is curious about which methodology other folks on the line are using. But you can you can share the results if you want to.

Beth Frasure  19:42

I would love to do that. I just not sure how.

Julie Reynolds  19:44

So it should have a button on the same way that you ran the poll. Now that you've run it, it should give you an option to share results.

Beth Frasure  19:55

Oh, here we go. So um, looks like thank you very much, Julie. And I apologize. I'm still, I struggle with technology at times when it comes to which presentation system I'm using.

Beth Frasure  20:06

So as you can see, the majority are using HVA. I would love to hear the 30% that are using other, what methodology you're using, because there's so many out there, and I obviously can't cover them all. And then we have 10% using the IT versus business unit, my personal favorite and 5% using Octave. That's very impressive. The last time I gave this presentation, not very many people had heard of Octave. So for those who are using Octave, this is going to, now can you see my presentation?

Julie Reynolds  20:41

Let me see here. Nope, we are still looking at the poll results. You have to fully like exit the poll, and then we should go right back to your slides. There you go.

Beth Frasure  20:52

Thank you. Sorry about that, guys. So those that have used the Octave method, you're familiar with this tree, I'm sure if you're using this one, or you may be familiar with to the work pages that Octave Allegro uses. I was going through that switch when I left my previous firm. I'm going to go into this bigger.

Beth Frasure  21:19

Okay, perfect. So as you can see, I have a portion of the Octave method, but I wanted to go further into this because one of the things I noticed when I was explaining is not a lot of people have heard of the Octave method. This is an IT security risk methodology. So I reported to the head of IT risk, which took not only business continuity ITDR into consideration, but also the IT security, IT infrastructure as far as what their risks were, as well. So we wanted to find a risk assessment that accommodated both. So the way the Octave method works is it takes the critical asset, and again, this is obviously very asset based, takes the critical asset looks out whether it is a, and this is a small chunk of the Octave tree, there's a huge chunk, this is only addressing network access. I believe if memory serves correctly, there's four other that they look at but it takes in consideration, so we're looking at the network access and then it decides is it an inside threat or outside threat? So is John and IT department in the IT department or the networking department upset? So he's going around pulling out cords that he shouldn't be pulling? Because he's upset about the fact that he doesn't have a stand up desk? Or is it somebody outside that has used some way to get into the system, whether they're breaking in, whether they're using social engineering, whatever the case may be, they've gone in there and have gotten  into our networking closet that they aren't supposed to get into. And they're pulling out cords.

Beth Frasure  23:04

You know, the next thing they take into consideration was an accident. Did John go in there to fix a network connection and tripped over a cord and yanked out five of our servers now no longer have internet connection? Or is it deliberate, because he's still mad about not having a standard desk? And then it goes into even further, whether you're looking at was the resulting effect, was the outcome going to be disclosure? Our information is getting out there that shouldn't be? Is it going to be modification where the information is being changed when it shouldn't be? Or is it going to be a complete loss and destruction? Or is it just going to be a minor interruption, you know, him unplugging cords, that's going to be a minor interruption in that example. But if he turned around and cut all the cords, well, that could potentially be identified as a loss or destruction. Or if he's switching chords around so our firewalls are all messed up and the correct IP addresses aren't listed, that would be a this, you know, a modification of the system. Or is he sending out our IP addresses out to all the bad hackers in the world and they're going to come in and try to mess up, block our network and mess up our IP addresses? Because those are things to take in consideration. And that's how Octave does it. Now this is a very thorough deep dive of doing a risk assessment. It's 100% looking at every single asset and you're not just looking at the asset, once you're looking at it four different times there, you're taking network access into it, you're taking, you know, a server destruction in there, you're taking human threats in there, they're also taking into consideration if there's some sort of hack there are quite a few different and that's for one asset. So you're reviewing this asset 100 times through different routes. And that's the nice thing about the tree because it covers every single possible vulnerability that you may have. It makes you think about every little thing. But it's extremely, Octave, it's extremely time consuming. When I went through it, it was a lot to go through the assets. You know, we started off going with doing the Octave method on all the critical assets, and then we moved into all our urgent assets, and then our beneficial assets. Those are the criticality ratings that we used anyway, but we went through, and we looked at every single one of this, and we gave them a rating.

Beth Frasure  25:32

So next, we're going to go into the, into the rating slide. So this is the risk methodology that we utilize, there's definitely a lot out there. And mathematically, we kind of customized it where it was high, medium, or low. To simplify the process, we just stuck with high, medium or low and then we took into consideration what the likelihood was, we took in consideration with the impact of a consequence would be, but this is essentially obviously you can see there's a lot more numbers on this, we did a nine by nine. But either one that you take, what this does is this risk matrix allows you to identify, how large of a risk is this asset? Or, if you decide to go with the event risk methodology, how likelihood is this risk? You know, obviously, in Montana, where I'm currently at, the likelihood of me getting a tsunami, is like nil. But the likelihood of me getting a snow storm is very high. So that would be an event that I need to prepare for. So we would turn around and do snowstorm almost certain. Well, but what's the impact? The majority of the time, the impact of a snowstorm for us is significant but not it doesn't shut us down. It's definitely not severe, or major. Now, if we get like 20 feet of snow, which hasn't happened in last 20 years, that would be extreme, but for the most part, the most common process is it could be a significant impact on us. Now you can break that out. And you can turn around and say, okay, you know, what's the likelihood of a massive blizzard. If we're doing an event, because seeing a snowstorm in Montana, we get snowstorms all the time, it's not a big deal. But saying that it's a massive event like a massive blizzard that's going to shut everything down. Well, that's a lot. It's not rare. I would say it's rare, we don't really get too many blizzards here that shut us down just because our infrastructure as far as our power supplies and everything like that are all used to heavy snow. So it's very rare that we get a blizzard, that's going to be massive impact. So we would say you know, rare, but it would be severe. If we did get one it would be severe. So it's definitely something you want to prepare for, you want to make sure people can work from home, because if they can't get into the office, you want to make sure that you know our systems have that we have backups in the building so that way the servers need to be brought up that kind of thing. So that's what you're looking at.

Beth Frasure  28:14

Now one of the things that I've also see some company do is they take this risk matrix, and that's what they use for the risk assessment. They give it a score, and then identify, going through the gap analysis, which is a whole other presentation on its own because the gap analysis can get really complicated. But you know, having that score allows you to look at how much effort and time do we need to put in that particular, whether it's an asset or a process, or an event? How much effort do we need to put into to prepare for it? That's the entire point of a risk assessment is you're looking at how are we currently prepared? What do we currently have in place? What are are areas that are most important, whether you're looking at event or an asset? What is the most important? What do we need to make sure it's up immediately what can wait a couple of days, it's gonna be a pain to play catch up, but what can wait a couple of days before we brought it back up? And once you're able to identify and categorize and look at what you have, and what risks that the company has, then you work into the gap analysis and look at how you can either remedy that risk, reduce the risk or completely accept that, you know, it's a risk that we have, we know what's the risk that we have, but we're willing to accept that. This is all building up and risk assessment all builds up to you. The end goal is to find out how do we make these risks either gone, mitigated or accepted. And that's not something that business continuity department should be doing,that's not something that the IT department should be doing. It should be a combined effort, the business units and the IT department should be looking at it together and really identifying because what IT finds important, the business unit is probably not going to find important, what IT doesn't find important, the business unit is probably going to find important. So this is definitely one of the things, you want to make sure that you're bringing those two together and really looking at what you have to the company, how it affects the company by not having it. What are you going to do to be able to make sure that these risks aren't affecting your company severely. And that's your biggest argument when you're going up to the C suite. You want to make sure you're looking at how critical a particular asset or an event is, how much should you be prepared. And this risk assessment allows you to have the data and the backup information that you need, or the supporting information that you need, to be able to ask for more money to get a software that will help you do this risk assessment because it is important. Most industries are requiring that a risk assessment is done. So that way you can be aware of what your risks are.

Veoci and Risk Assessments

Beth Frasure  31:09

So before I move into going a little bit over what Veoci is, and what we're made of, does anybody have any questions right now? Risk assessment is a huge ball of wax to try to address in 45 minutes. So I know there's probably things I have not covered. And I want to give you guys a chance to ask those questions that you may have on risk assessments, because it is so important.

Beth Frasure  31:31

I don't see any questions as of now. So I'm gonna go into the Veoci risk assessments, but please don't hesitate to put those in while I'm going through kind of Veoci, the software and going over those pieces of it. And I'm gonna say right up front, and Julie is gonna hate me for this. I'm not a salesperson. Business continuity is my thing. I don't like doing sales, I am very much a how can I help you get your business continuity plan or your risk assessment or your ITDR or whatever the case may be up and running? But Veoci is a great software. The nice thing about Veoci is, as you can see, I'm not going to read it to you, we have a lot of solutions and this doesn't even touch the iceberg. I have some clients that use the software to do studio check in points where their guards will check into the system to verify that they've checked a particular spot on a studio location. I have some that have used it for as it's listed there, COVID solutions, where we have their employees coming in and saying they've gotten vaccinated or they have been exposed and they need to take time off whatever the case may be crisis management, incident management. I have a client who uses it to track the travel of their particular stars that needs to be on site and what locations. So it'll show you where Tom Cruise is going to be on at such and such a date and they know that he needs to be on site for this production. I have some clients that use it to identify where their fire extinguishers are, when's the last time the fire extinguisher was checked and maintained? And of course, all of these as well as the inventory management, asset management, I have clients that use it for project management, they also use it for daily operations.

Beth Frasure  33:26

And what sets us apart from a lot of other business continuity software is that we eat and breathe, Veoci. We do everything our company completely 100% works out of Veoci. So you have your CSMs, which is what I am a customer success manager, you have your solutions engineer, they're all in Veoci on a daily basis, probably sometimes more than we'd like to be. But we're 100% in the system. We completely know how to use it, we 100% are able to help and if we don't know the answer, because I will tell you right now I am not nearly as technically savvy as my solutions engineers. But if I can't figure out how to do it, I will be able to find a solutions engineer that can tell me how to do it and I will be able to get you that answer very quickly. Available 24/7, we have a service desk that's available 24/7. So if your particular SE or your particular SE or your particular CSM  isn't immediately available, that service desk will be able to help you and that's the nice thing about Veoci. We're a very tight knit team. So I definitely liked that aspect of it.

Beth Frasure  34:38

So one of the questions that was asked is how much time would you say a solution like Veoci would save you as far as risk assessment? I wish I would have this way back when. Because yes, the initial start off can be difficult depending on what risk assessment you're utilizing getting started but if you have not started and the previous question, we had quite a few people that hadn't if you had not started it yet, we can easily build a solution to your liking that will make it that much quicker. So instead of doing massive amounts of spreadsheets, which unfortunately, that's what I was doing back in the day, having the system automatically reach out to the key individuals that need to verify once you get the initial risk assessment completed, every year, that renewal every year of having to reach out to have the system reach out to him and say, hey, has anything changed? Is there any new software, whatever questions you want to ask takes so much of the maintenance time off of the process. It's a lot less of chasing the person down every year to get them to verify. Once you get the initial risk assessment, then it becomes just like the business continuity plan: maintenance and upkeep. You're doing a yearly review of it, if there's any major technology changes, you definitely need to add that, if there's any situation if all of a sudden knock on wood, if all of a sudden we started having hurricanes in Montana, we needed to add that as an event, you could easily add that into the system and then do the risk assessment on that. I think having a solution where it's all in one. And also a solution that allows it to automatically reach out to the people that you need it to, makes would have made my life so much simpler. So for those of you that have been in the business continuity world for a while, I am definitely aging myself now, I have seen massive improvements. The question is, have you seen technology change over the years? I've seen massive changes. So when I started out in the industry, I was using LD RPS. And normally, this is when I get a few nods, nods in the in the audience that they have seen or heard of LD RPS. It was the original software that was way back when years and years and years ago. And that was a very complicated and unintuitive system.

Beth Frasure  35:13

Veoci is definitely miles and leaps ahead of that. And the other thing that I like about it is the fact that it's so customizable. I can use it for whatever I want. And it becomes an all in one tool.

Some quick insights from an expert

Beth Frasure  37:18

What I'd like to see in the future, and this is not so much for software, as it is for the industry as a whole, I would like to see it less siloed. I was in my own little bubble when I was working at my previous firm so I didn't realize how siloed a lot of other companies are to where you have IT doing their own thing, business continuity, doing their own thing, IT risks doing their own thing, and 90% of the time, they're all doing risk assessments. And they each have their own methodology and how they're doing it so everybody's repeating the process three or four times, instead of just getting together and deciding on a methodology, okay, you take this part, you take that part, and you take that part and making the process that much simpler. Definitely one of the things that I would like to see more I know, that's normally a cultural change and it's not easy. Because when I started out, that's exactly how my company was it was IT department, I'd go in and ask them how often a system was backed up and the response I will get for, I would get not will get but would get was, that's none of your business. All you need to know is that I back it up. Well no, I need to know how often it's backed up, because I need to go back to the business unit and find out if it's backed up sufficiently, or if we need to look at changing that. And that was, and this was years and years and years ago. But that was the response I would get. And it it, it was very difficult for me that to make them understand I'm not your enemy. I'm here to help you get further in build our business continuity plans and our ITDR our plans to be very robust for the system.

Beth Frasure  38:54

Next question I have is for those who haven't gotten started on a program, do you have suggestions to get started? Small bites. Think of a tree full of fruit: one piece at a time. Whether you start doing a risk assessment, so when I started out, the first thing I did is I did not try to take the entire project and do it all at once, I did little pieces. So when you heard first started doing the risk assessment, I did all the critical or urgent whatever terminology you use, that's the highest urgency level, I did all I took all those processes and really analyzed I sat down with the business unit really analyze are these truly in effect urgent? Are we looking worst case scenario and this is down for a week? Because what I'd find out is I'd have that sit down conversation with them. Well, it would be a pain to play catch up, but we could do it. You know, like the payroll system. Yes, it would be a pain if we had to have our employees enter that all that information, a week's worth of information, but we could do it if we had to worst case scenario, and the system went down for weeks we can turn around and add that information up in. Well, then it's not an urgent process. Because the backup for payroll and I get this question asked to me a lot so I'm just going to answer it. The backup for payroll is, if for some reason you can't, your employees can't clock in and out, let's say they're using Workday, for example, or ADP. They can't, for some reason the system goes down, they can't clock in, in or out whether it's a single sign on issue or whatever the issue is, they cannot clock in or out, well, payroll, you pay them the same paycheck that you paid them the week before. And we'll deal with the once the system's back up and running, we'll deal with fixing things. And normally, where you're gonna see issues with that is if you have employees, like we had brokers that were paid off commission. So they may be overpaid, or underpaid, but we would fix that in the next payroll and get that all situated out at that time. Because you don't want your employees waiting for their paycheck. There's nothing worse for someone to go well, you know, I know you did all this work for us but we can't pay you for another week because our payroll system goes down. That's not an acceptable situation.

Beth Frasure  41:03

And that brings me into another thought process so I'm very glad you asked that question, is also take into consideration when you're doing your risk assessment, your manual workarounds. If you have a sufficient manual workaround, that would suffice you for a certain number of days or a week or whatever the case may be, yes, it's not ideal. But if that manual workaround would work for you, then that's no longer an urgent process. My payroll went from urgent down to essential, it's something that could be down for a week, we could go without it for a week but you get past that week and we may start having issues. We want to start, we don't want to get to the point where we're owing, you know, hundreds of millions of dollars, because we've underpaid all of these employees just to get them a paycheck out. So that was definitely something we identified as essential. And I say essential, that's a, that was a two to seven business days, that was the timeframe for the essential processes.

Beth Frasure  42:01

So definitely, but getting started, start somewhere, but always do it in small chunks is my recommendation. That's the part where I noticed that made it a lot easier, not just for me, because whatever methodology you're using, the risk assessment can be a very overwhelming process. But it also allows you to take slow steps, you know, go take all the urgent processes for let's say, the IT business continuity plan. Sit down with your IT department, look at all those this and I'm actually that's a bad example because IT I normally try to save for last because IT is so dependent on all the business units and how they critical anything. But let's say our sales department, our sales department is the first one that I start with just looking at their critical processes. Just looking at what those critical processes depend on those assets, if you decide to go asset, then based process, or excuse me, asset based risk assessment. Or even if you do the event centric risk assessment, take one piece at a time and do little chunks at a time, it will keep you from stressing out and wanting to throw your hands up, you'll probably still have times that you get frustrated with it because risk assessments are not like I said, not a simple process.

The Veoci Difference

Beth Frasure  43:19

So we're gonna go on to the next slide, please, if you have any additional questions, keep them coming. So these are where Veoci operates and this is not all encompassing. I'm thinking we're missing a couple of things. But as you can see, we do a wide range of different industries. One of the nice things is, is that we have some sort of specialist in almost every single one of this industries that came from that industry. So like myself, I did finance, my business continuity plans, my risk assessment plans I created, we're all finance we all  lean towards more the DRI methodology. But we also have experts in healthcare. We have Lance, who, has done the business continuity plans or the COOP plans, because they're more of an ICS and NIMS. layout. So is the government. We have the expertise in house, and that's what makes it nice because if, let's say enterprise. Enterprise is covered by a different CSM, but if she has a business continuity question, she comes to me. If there is a methodology or suggestion that they need, they bring me into the call and I say here's what I suggest or what's you know, we discuss what their company is, how it's laid out, and everything like that. And we allow them to see, here are some of the options that I've seen in the industry that may work best for you.

Beth Frasure  44:41

These are all of the building blocks that Veoci provides. It's a secure cloud platform. And what makes that nice is it's not in house. So if you have a major disaster, whether it's a, knock on wood, it's a breach or whether it's a internet outage for the entire company or if you have some firewall problem, whatever the case may be, a lot of times what happens is a lot of the companies will have that house their business continuity plans ITDR assessment, the whole kit and caboodle, they'll house them in house. Well, if you've got an outage in house and you can't get to it, that business continuity plan no longer does you any good. You're stuck with, well, it's on my H Drive, or it's on this shared drive that we have and I can't get to it because the entire network is down. So I highly recommend having your business continuity plan your risk assessments, ITDR plans, all of that outside of house because

Beth Frasure  45:32

I've actually experienced that. We, 10 years ago, we had the business continuity software we're using housed in house. And then we had a server problem and I lost all access to my business continuity plans. That completely makes all that planning completely useless if you can't get to. So it's definitely one of the nice things about the having the cloud platform, you can also utilize Veoci as a communication and collaboration tool where you have a place that is a chat room and you can have back and forth conversations right there. We have that mobile app, which is really nice, because if your computer goes kaput, you still have access to it too. Or if your computers become unusable for whatever reason. You can build dashboards, the dashboard, one of the things I like about the dashboards is you can create pretty pictures for your C suite. Okay.

A quick interlude: Business Continuity vs COOP

Beth Frasure  46:28

Mark, that is completely a different business continuity, the difference between business continuity and COOP, that's a whole nother presentation. I could go on for hours on that. But the basic difference is just how they're laid out. Normally with COOPs you're looking at more towards the public sector, as I was saying earlier, where you're looking at possibly how many of your how many patients may come into a hospital. They take into consideration more of that public how it's affecting the public, how the public is going to have to respond. Business continuity is, yes, we're concerned about employee safety. That's extremely important. I'm not saying it's not, but there's a limit on what we can do. Being that we are limited due to HIPAA.

Beth Frasure  47:17

So if I'm working for my financial firm, and I have an employee get hurt, knock on wood, I have an employee get hurt, and we have to send them to the hospital, that's as far as I can be involved in the process. I have to stop because of HIPAA, I can't get updates, I can't do anything like that. But when you're running a hospital, that's you have to be prepared to bring in patients and an overflow of patients and making sure that all the hospitals are able to take them in. So they're the same but they’re different. And it just varies from how you build your business continuity plan and how you build your COOP plans. But that's the best explanation I've ever come up with with the differences of them. Back to the dashboards, I got sidetracked with that question. Back to the dashboard.

The Veoci Difference (continued)

Beth Frasure  48:01

In my experience, C suites like colors and quick information where they're able to get immediate information very fast. And all they gotta do is they don't want a 60 page document to read. They want to be able to look at something, say okay, that's where we're at, and on they go to the next thing. That's the nice thing about the dashboards because we're able to do charts, we're able to do graphs and things of that nature that will quick, digestible information that's just quick and easy. And you're able to look at and say, okay, I know 73% of our plans are updated and have been tested in exercise. I know 33 of our plans still need to be reviewed or need a risk assessment completed on it. So that's definitely one of my favorite parts of Veoci is the dashboards and how we can create them to customize per group.

Beth Frasure  48:47

The map's really nice too. I have one client who is using the maps to essentially identify where, I believe I said this earlier, but where they put their fire extinguishers so they can keep track of when the last time that fire extinguisher was serviced and how often it needs to be serviced. Keeping all that information you know the maintenance track in there as well do the same thing with a generator, they can identify where the bathrooms are at something as simple as that. Identifying who sits were in the building. How many people are in that building? How many people are in that floor? Making your floor wardens when you're doing evacuations, here's a simple list. We have an updated map so you know exactly where everybody's at. And if a fire should break out, they know how many people are on that floor and it makes it definitely easier from that aspect.